Operating System:

[Debian]

Published:

27 July 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.2544 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2544
                           qemu security update
                               27 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15863 CVE-2020-13765 CVE-2020-13754
                   CVE-2020-13659 CVE-2020-13362 CVE-2020-13361
                   CVE-2020-10756 CVE-2020-8608 CVE-2020-1983
                   CVE-2019-20382 CVE-2019-12068 CVE-2017-9503

Reference:         ESB-2020.2505
                   ESB-2020.2236
                   ESB-2019.4287
                   ESB-2017.1677

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2288

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2288-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
July 25, 2020                               https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : qemu
Version        : 1:2.8+dfsg-6+deb9u10
CVE ID         : CVE-2017-9503 CVE-2019-12068 CVE-2019-20382
                 CVE-2020-1983 CVE-2020-8608 CVE-2020-10756
                 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659
                 CVE-2020-13754 CVE-2020-13765 CVE-2020-15863
Debian Bug     : 865754 961887 961888 964793

The following CVE(s) were reported against src:qemu:

CVE-2017-9503

    QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2
    Host Bus Adapter emulation support, allows local guest OS
    privileged users to cause a denial of service (NULL pointer
    dereference and QEMU process crash) via vectors involving megasas
    command processing.

CVE-2019-12068

    In QEMU 1:4.1-1 (1:2.8+dfsg-6+deb9u8), when executing script in
    lsi_execute_script(), the LSI scsi adapter emulator advances
    's->dsp' index to read next opcode. This can lead to an infinite
    loop if the next opcode is empty. Move the existing loop exit
    after 10k iterations so that it covers no-op opcodes as well.

CVE-2019-20382

    QEMU 4.1.0 has a memory leak in zrle_compress_data in
    ui/vnc-enc-zrle.c during a VNC disconnect operation because libz
    is misused, resulting in a situation where memory allocated in
    deflateInit2 is not freed in deflateEnd.

CVE-2020-1983

    A use after free vulnerability in ip_reass() in ip_input.c of
    libslirp 4.2.0 and prior releases allows crafted packets to cause
    a denial of service.

CVE-2020-8608

    In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses
    snprintf return values, leading to a buffer overflow in later
    code.

CVE-2020-10756

    An out-of-bounds read vulnerability was found in the SLiRP
    networking implementation of the QEMU emulator. This flaw occurs
    in the icmp6_send_echoreply() routine while replying to an ICMP
    echo request, also known as ping. This flaw allows a malicious
    guest to leak the contents of the host memory, resulting in
    possible information disclosure. This flaw affects versions of
    libslirp before 4.3.1.

CVE-2020-13361

    In QEMU 5.0.0 and earlier, es1370_transfer_audio in
    hw/audio/es1370.c does not properly validate the frame count,
    which allows guest OS users to trigger an out-of-bounds access
    during an es1370_write() operation.

CVE-2020-13362

    In QEMU 5.0.0 and earlier, megasas_lookup_frame in
    hw/scsi/megasas.c has an out-of-bounds read via a crafted
    reply_queue_head field from a guest OS user.

CVE-2020-13659

    address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL
    pointer dereference related to BounceBuffer.

CVE-2020-13754

    hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger
    an out-of-bounds access via a crafted address in an msi-x mmio
    operation.

CVE-2020-13765

    rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate
    the relationship between two addresses, which allows attackers
    to trigger an invalid memory copy operation.

CVE-2020-15863

    Stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c.

For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u10.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8dbjoACgkQgj6WdgbD
S5b6nA//d6GQMouWOSCQ1juZ6Ej71f8ILXLirILUi9dQ6HyJfnCEus0sZGvG/F5k
200hsZfT5LLp7zZcMdCnYtyEjKC+fwaroX+g73gcRVlsxQfsyeipUMOvvFUE6zhP
cx4KgnYhhYHwLLuyVL4FXdI2o7aWGBeurN2mw1WVTLf+vNvgbz/33mDqMRzBybhZ
PRnSjYeqlInjG75Sxo5rEgHW2cQltGyG0pJ1xwOC0chg5932kDy9YirTHQtRfFCe
P3WDe3jgP6EdPlDh1y+iEAM+nkKAuURnl3IV5EC0V3xxPQLIhchEOhDluDM0fJry
xoH7REXCdRvxsUaCaBZLeTz/9t4q7mvsSZoDD1g2ZPKe0Giyw+gfSsKMb7HqUhDi
RK7rnJABUvxIHgYfH1hOBuBeRy7ExLrXM79FUVbVyU7vfE/BCMlsi+AVtT/GhMc+
zfIrm3zVBUdW45u/MSwpBW/qzoAkfJLr1ddfAkDpYPcbC4Ru/bRiPwrJHVSQf7fJ
Jh/Gm28KoeYm1yANEiZuW9SiSgd+LJXGMRzMTEjoCTFrRJrtP9XJuEZGqAFGQ9C4
+4ehusq+C3Zi7ngRJi9Wcx2mg0y2ojGHXTZS83SZ1WZ4reu3ub1ezQhvPh4hYdcB
Dza4xIu2m7xUi8AshEqleI5pTmXI0rIjh3KY4p8f/X4yCm2jYeo=
=3RkF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXx5B+eNLKJtyKPYoAQia8w/+LuxZhHjjQeyidQm0XsnOhTXzENF43YHJ
hgdyv4drufY1VRhfwbrGk6SsHM1+Na8klGG0czxe8PlxglmdPKKdOzaZM0dV6jwb
YOXp8yJ688+lG3Eb6ZPzxKLvDjB8xaN5eOuBC37jPCO8OyF+o8wYcCW+GHZIfkFZ
xGqmE1DW72sf8symZTRGYJa0zHC3lvmnpMuzaidJfw1zaxoEBFSWifM8z54ZhAQK
NpXhfMBdMKnjsBHQX7176D1Xw8ZzuSkd2gQWYh5LKL6hwiYGyu8Qwb4tXWlTDKLv
VpZmUfhOZaxR85JNltLfwScieL8oZaVcLZaEPi10tkCRk5hGalAf/Phza+INn0Kx
8KtyY04xlcDm8++WfJemqpFxck+8VqIJDnjZFs5qJmm9cBi9CBf/IdlwkodovlE4
SXbeHED1j11aw+S9OGG3EtUt8iokj9XBzWV+8UzUtRVFVRwBR+Zt6q+46wRO+SVp
Gg2fFEiWoXEvLhwM39+ZfKtlqMmFmU5O4WHWPEL3amYiWkcHX7DPSOjJGZJkGxyy
wLSxHt9NxF2YQLcg8gANBtULbulTaPX4RaTRu4sLtA85PtbikD7/kBfxJ0YLAzuh
FiV8n+RFxtmykJlggSABln+N+sNOrpiCkZXCCyPpRtZzHcJfQR/JtyQmg3qfq3pN
PZN+iolgSbw=
=yYO6
-----END PGP SIGNATURE-----