Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#68356 - [qemu] CVE-2020-14364 CVE-2020-25625 CVE-2020-25624

Attached to Project: Arch Linux
Opened by loqs (loqs) - Wednesday, 21 October 2020, 03:33 GMT
Last edited by David Runge (dvzrv) - Sunday, 07 February 2021, 16:40 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Anatol Pomozov (anatolik)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.[1] Fixed by [2].

An infinite loop issue was found in the USB OHCI controller emulator of QEMU. It could occur while servicing OHCI isochronous transfer descriptors (TD) in ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. While doing so it does not check if the TD was already processed ones and holds an error code in TD_CC. It may happen if the TD list has a loop.
A guest user/process may use this flaw to consume cpu cycles on the host resulting in a DoS scenario. [3] Fixed by [4].

A flaw was found in QEMU. An out-of-bounds read/write access issue was found in the USB OHCI controller emulator. The issue could occur while servicing transfer descriptors (TD), as OHCI controller derives variables 'start_addr', 'end_addr', and 'len' from values supplied by the host controller driver. The host controller driver may supply values such that using these variables leads to an out-of-bounds access issue leading to a guest user/process using this flaw to crash the QEMU process on the host resulting in a denial of service (DoS) scenario. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. [5] Fixed by [6]

Additional info:
* qemu 5.1.0-1
This task depends upon

Closed by  David Runge (dvzrv)
Sunday, 07 February 2021, 16:40 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with qemu 5.2.0-1