Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2546 qemu security update 27 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-15863 CVE-2020-13765 CVE-2020-13754 CVE-2020-13659 CVE-2020-13362 CVE-2020-13361 CVE-2020-10756 CVE-2020-8608 CVE-2020-1983 CVE-2019-20382 CVE-2019-12068 CVE-2017-9503 Reference: ESB-2020.2544 ESB-2020.2530 ESB-2019.3944.2 ESB-2017.1677 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2288 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2288-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta July 25, 2020 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : qemu Version : 1:2.8+dfsg-6+deb9u10 CVE ID : CVE-2017-9503 CVE-2019-12068 CVE-2019-20382 CVE-2020-1983 CVE-2020-8608 CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13754 CVE-2020-13765 CVE-2020-15863 Debian Bug : 865754 961887 961888 964793 The following CVE(s) were reported against src:qemu: CVE-2017-9503 QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. CVE-2019-12068 In QEMU 1:4.1-1 (1:2.8+dfsg-6+deb9u8), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. CVE-2019-20382 QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. CVE-2020-1983 A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. CVE-2020-8608 In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. CVE-2020-10756 An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. CVE-2020-13361 In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVE-2020-13362 In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVE-2020-13659 address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. CVE-2020-13754 hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. CVE-2020-13765 rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. CVE-2020-15863 Stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c. For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u10. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Best, Utkarsh - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8dbjoACgkQgj6WdgbD S5b6nA//d6GQMouWOSCQ1juZ6Ej71f8ILXLirILUi9dQ6HyJfnCEus0sZGvG/F5k 200hsZfT5LLp7zZcMdCnYtyEjKC+fwaroX+g73gcRVlsxQfsyeipUMOvvFUE6zhP cx4KgnYhhYHwLLuyVL4FXdI2o7aWGBeurN2mw1WVTLf+vNvgbz/33mDqMRzBybhZ PRnSjYeqlInjG75Sxo5rEgHW2cQltGyG0pJ1xwOC0chg5932kDy9YirTHQtRfFCe P3WDe3jgP6EdPlDh1y+iEAM+nkKAuURnl3IV5EC0V3xxPQLIhchEOhDluDM0fJry xoH7REXCdRvxsUaCaBZLeTz/9t4q7mvsSZoDD1g2ZPKe0Giyw+gfSsKMb7HqUhDi RK7rnJABUvxIHgYfH1hOBuBeRy7ExLrXM79FUVbVyU7vfE/BCMlsi+AVtT/GhMc+ zfIrm3zVBUdW45u/MSwpBW/qzoAkfJLr1ddfAkDpYPcbC4Ru/bRiPwrJHVSQf7fJ Jh/Gm28KoeYm1yANEiZuW9SiSgd+LJXGMRzMTEjoCTFrRJrtP9XJuEZGqAFGQ9C4 +4ehusq+C3Zi7ngRJi9Wcx2mg0y2ojGHXTZS83SZ1WZ4reu3ub1ezQhvPh4hYdcB Dza4xIu2m7xUi8AshEqleI5pTmXI0rIjh3KY4p8f/X4yCm2jYeo= =3RkF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXx5FHONLKJtyKPYoAQgY/hAAjPlNW9hgH45L59BA0pbWmIWGXI6CsDt4 pOHRqMJtDf2/RjpX5idaaBWM9/EZuIgZPA1u1iMGSXoXV1zWyS5OIopyooncIbvV SP4aco6scdKfQHiC4ecoKfsffLYE8UnUdwB4KnHlB6uZAxP+v2SHFnPgLuIIrrFA 072rlvjOrW4br9ST5ctFS+XuhuqZPcezyXSMSYOuLETcjsAuy3bigIhZ6Yj63gUC Q6pCnzup1hvQh2dWe3zLrb8xxV8O26ZiFjCJnFK5epiaag3LKUUkyVsdm+aPNE2w 7edxtzHQWXDCZKlcwUOOr1r7zhlShrI0J0izyOD7KZ6GGwx1T6O8C4gnLbLuZ8Kp WspaYh9DCxPFndgArRQ/G2wHGJ+RFqy15k5eZsGkEQpbeBbAVjiOckN6GkJmMLxP Cdxn6NXIJiHElu/rqS0CN/2XtJZOtuTb4uKDCh+Lk7d/mhjuO7LzZ+L6cadxrYp8 c/6y7qE7aKp943PrTgPDRJcem7VjGgIJNhhmCVpBgg7d+5/23RaxYm8JokvvY/0d 9qcWmpoitrxBWrPCFKruJl7PEmE3qqEipcLgUmE7mGPSOkItJVP1wYxbsoFLtMV5 jmhKx5nrpdDb/CvpAABIeJlXEaMGa/wMSZ/cP/F1sN707vx6WVrRVkQ1SERcCdDJ zgDJbwVSTIU= =hKlZ -----END PGP SIGNATURE-----