FS#68356 - [qemu] CVE-2020-14364 CVE-2020-25625 CVE-2020-25624
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Wednesday, 21 October 2020, 03:33 GMT
Last edited by David Runge (dvzrv) - Sunday, 07 February 2021, 16:40 GMT
Opened by loqs (loqs) - Wednesday, 21 October 2020, 03:33 GMT
Last edited by David Runge (dvzrv) - Sunday, 07 February 2021, 16:40 GMT
|
Details
Description:
CVE-2020-14364 An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.[1] Fixed by [2]. CVE-2020-25625 An infinite loop issue was found in the USB OHCI controller emulator of QEMU. It could occur while servicing OHCI isochronous transfer descriptors (TD) in ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. While doing so it does not check if the TD was already processed ones and holds an error code in TD_CC. It may happen if the TD list has a loop. A guest user/process may use this flaw to consume cpu cycles on the host resulting in a DoS scenario. [3] Fixed by [4]. CVE-2020-25624 A flaw was found in QEMU. An out-of-bounds read/write access issue was found in the USB OHCI controller emulator. The issue could occur while servicing transfer descriptors (TD), as OHCI controller derives variables 'start_addr', 'end_addr', and 'len' from values supplied by the host controller driver. The host controller driver may supply values such that using these variables leads to an out-of-bounds access issue leading to a guest user/process using this flaw to crash the QEMU process on the host resulting in a denial of service (DoS) scenario. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. [5] Fixed by [6] Additional info: * qemu 5.1.0-1 [1] https://www.openwall.com/lists/oss-security/2020/08/24/3 [2] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=b946434f2659a182afc17e155be6791ebfb302eb [3] https://www.openwall.com/lists/oss-security/2020/09/17/1 [4] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f [5] https://access.redhat.com/security/cve/cve-2020-25624 [6] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1328fe0c32d5474604105b8105310e944976b058 |
This task depends upon
Closed by David Runge (dvzrv)
Sunday, 07 February 2021, 16:40 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with qemu 5.2.0-1
Sunday, 07 February 2021, 16:40 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with qemu 5.2.0-1