Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1572 qemu security update 15 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-1050 CVE-2022-0216 CVE-2021-3595 CVE-2021-3594 CVE-2021-3593 CVE-2021-3592 CVE-2021-3409 CVE-2020-29130 CVE-2020-17380 CVE-2020-14394 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html Comment: CVSS (Max): 8.8 CVE-2022-1050 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3362-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler March 14, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : qemu Version : 1:3.1+dfsg-8+deb10u10 CVE ID : CVE-2020-14394 CVE-2020-29130 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 CVE-2022-0216 CVE-2022-1050 Debian Bug : 970937 979677 986795 989993 989994 989995 989996 1014589 1014590 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, information leak, or potentially the execution of arbitrary code. CVE-2020-14394 An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. CVE-2020-17380/CVE-2021-3409 A heap-based buffer overflow was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2021-3592 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. CVE-2021-3593 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. CVE-2021-3594 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. CVE-2021-3595 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. CVE-2022-0216 A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. CVE-2022-1050 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. Note: PVRDMA is disabled in buster, but this was fixed preventively in case this changes in the future. For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u10. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmQQ1uEACgkQDTl9HeUl XjAnFA/8Dm8SpCHCfbfDfbxIEyn1ZmIp/SBPSNguk7UgulimH9QwjnmkcweRzZFh tv1ujlYic/qox38Qp3zq015Jxu3QpRVj8QFyGQ7fBXpNlzhkYW0N9uEcEM0TDeD7 zb7bMT2JDJ0uR8n2U+APaIvdfvv7Ro38lSSpn+wEU2g5TTF/JK0ygGYGfjUplT9R T5MFyx58BaU3/DfT3gQPq15vsp9wejygkSwDhAmI8oWnrVDGJTNPEPhYAWK/EHs8 v4iJ4BB/f9rBHjDRWp+T100a6KQmyOpUAiD5qGyVzKaqmgEIACDd/njaGoAedgn0 T85MJQ7OpYuPAPl5cQ4xs+4rrEhAtiTbOnXwvhXQ8fhj8tjwOMlIrO/Pkyvv+d7+ Rn4okXxVnA/BD45KmkES0HvfmwBBM45X3Cuvy1MzfwDTjGY50r+3h8kdDbXVoNX8 H8sXlZOYE9ZzaL/1vxCNF8HaSM4QuBi9xQmNUpVAWuI/lv9IpneVqaDDv0OW+FGu n1vpuRcK5OTqIaBm7VCqteROoMTsv044YiW4ebftniqyPUrfK19cImoknP/pM95h 159HX36SZgLVXdAC7JJxOtXPlOvuGtAvUBkakX874mWm7kXPx8MV4biv0R03yT8z NoKtMOOGjamTs8D0+UZiQrl5yb6WGkVYYfKUr5zzvZR/xSrqOgI= =n4Sq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZBFXe8kNZI30y1K9AQgMPg//eKgD6M8YXh+x4p9liH0zM3V8qlpm0uHn em0tsKNucbdFIXeP7o011F8yRTYYJrOm/ETL4LlSn4usRQ237YzxIwk2QWY+bdOB 1FFcUSNYpvEOfAAIy5fSRNtyHs624RcGH0osNHnsCVzMkdeZT2BNciUuj4OWQnwr LRf1NE2DzNk0DeiS5qt/4qsErGCVoOvg7GP9hKULJkmvOuVwtqTmmVyd0D5OIY7t UCod9brY42yRFk6+Cvimt3FVciJmNrXCKbtIvMOHoMc7zoNNPfDDPpf/nTpwubje 7etmAFuOeRq2gVWrOtwhU1GLbUQKOm6JOnt/81ntTgc4Izv0KUeOkcz9JCyeZjkr UrAtK7o6KAcgE56OfsN4lcx361ayoOcvQTuen0XPYvUQ+6RurKanVEFISu/MV3Ys SCpuazqP+h8gczOTVLie4hvBNde6dr/d4j3yuWkE0t1sjLehsj+u4ujXfsnGXEdo RQd4Qci4CtiJOeXtqF+3cL9A2narmVN7V+tUEe83S9JA9bGoIOeB3wtdoxzPj6V/ yQRkITjwSSBtO2FNuNnL+QGCLpDM8zIZH9lFzLSETMr+smlj1BYwD5LXnQxjEycv nxoP7rJWu9xrV6gCOsXGQ314i7XU35FRhIwezAitOe5j1VyG/zrrqIcTMWgmZMhH BDR+4MqwyTs= =iOQq -----END PGP SIGNATURE-----