Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2981 qemu security update 3 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3713 CVE-2021-3682 CVE-2021-3595 CVE-2021-3594 CVE-2021-3592 CVE-2021-3527 Reference: ESB-2021.2918 ESB-2021.2596 ESB-2021.2415 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2753-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 02, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : qemu Version : 1:2.8+dfsg-6+deb9u15 CVE ID : CVE-2021-3527 CVE-2021-3592 CVE-2021-3594 CVE-2021-3595 CVE-2021-3682 CVE-2021-3713 Debian Bug : 988157 989993 989995 989996 991911 992727 Several security vulnerabilities have been found in Qemu, a fast processor emulator. CVE-2021-3713 An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. CVE-2021-3682 A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. CVE-2021-3527 A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded,a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. CVE-2021-3594 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. CVE-2021-3592 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. CVE-2021-3595 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u15. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmExGolfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQ5ExAAt5JnXCkGqWn8NjNiWlogHgcH3UwmucQHXSMdrcTJ+mngL/qb4FWWaRhV XUP3ujgy6/KuLyBihPvORu7gZd1LCbiC4zL98qKntA92VMNMvKy09wD5rBZ1+a4A XF8A99N6yhey5cN+2uemXOWTv8fNQiUmUrtxY9Oto2/J3PKlgdWfV/oQE6MKLnFm dQ8NNbUGQaWtdEocbKQdffZTgztZn6iAKOGbEYmrLPQvpp+3+bOEI7xNolBQxKPL kA2MyyPWqX6WE7wz1F4G/7liIA/axhN07mHSJWMf4QxQhKYsa+mQf9NoLGi9HSSY 8ls7CTJATTBQNfCrSTZHlGjwwP+PT+ML2t9KEua+oTtLA52DTsu/5jxsfJ6ciw2f qfDEYK2Cc5vdi5OtndL9Nfe2MBmy3fPwA0wqCjyh75YI5goEZzlz+/aU5DTIdP0a /ka+S1I3LvlE2jGkNHDfx2I+Xhl7GCdEwoe7D1MKHAnNWNxltknt/wy1+HdX2z1B VCDMLoldL/O7ybHiMdUobMBQH3QaURFkb++AyIgTOl9+XOYs/eqKULj++8Ohkeed /qTmkJdXU3Jgh0oS6MNBJNOd4KRlT2tRIVFQAuBotkc+81A/xSwmDaWG9LpS7jzq W6WfXzET+kRD979Zl/qEyyOCra2EeM9MFe9A2eAgqEIxjnyBQ2o= =8zjO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYTF+5eNLKJtyKPYoAQgK/A/6Ato9tRU0U9LarKnla0Y3H+t+ucVxfS4Y Tf4+MJ4n9pZP03l/Hf1ednuDfZlkcEg4tFn1iDPeJHgznaRGaTj5g/vgx+Em0ZBn fQtSOcSp1kX4o98kfJKC7Mcva7RwBlk7RFWdgVqdu3hObDSXrjfLQ6NDWR/252oa cbi2UZr1BmdiW6GDNqEPPNPHZP6HZmUwHQsTxIIaEXUzWmxg+FtQbsQL5pNSTdye MtDkNkVthwIoUeVeagtYRs3OauNIBWMKosu3JOiMhGkhuHj9d1nC5In/fk9ZUOG7 rLdNOJsxrwj5+L0TnLE5NM+fcY3XoCuxviAIbS88HVRfutDhAiTyXO35qOfFm4lE 4tXmtEOVMZHUuQ0FnzIk+nBZ0vDOaEqafSO9qaqDdvFMU0okynUqQ1kPqjQckC9I Ioig0k/zrBatrbtF4aGEQqh/iwtLX5eyMa+HjF8wJRPJMJDEk3yImx1XXRTVvqqh J1+GaCKsxEYQ7bbE0Ch7sRaWVP52YQQounJNPYDdKJDLJjCqAyEJtedur2mW4Nc7 TYAmZ1BlolCGIcPbOIXxzQhCrJbi5gGU2ZKsBuTQ8erYKIoS+0bmnyJjbPKwd55x aUI9bJmYuH0xXXqZtmhA6QoCB3abMwUzgAERx0DsBMviXItkmiLKNHab8tuWCWbd qtO3+xZ3Goc= =YuSr -----END PGP SIGNATURE-----