Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3362-1 qemu

Debian Security Advisory

DLA-3362-1 qemu -- LTS security update

Date Reported:

14 Mar 2023

Affected Packages:

qemu

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 970937, Bug 979677, Bug 986795, Bug 989993, Bug 989994, Bug 989995, Bug 989996, Bug 1014589, Bug 1014590.
In Mitre's CVE dictionary: CVE-2020-14394, CVE-2020-29130, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, CVE-2022-0216, CVE-2022-1050.

More information:

Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, information leak, or potentially the execution of arbitrary code.

• CVE-2020-14394

  An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.

• CVE-2020-17380/CVE-2021-3409

  A heap-based buffer overflow was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

• CVE-2020-29130

  slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

• CVE-2021-3592

  An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the bootp_t structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host.

• CVE-2021-3593

  An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the udphdr structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.

• CVE-2021-3594

  An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the udphdr structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.

• CVE-2021-3595

  An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the tftp_t structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.

• CVE-2022-0216

  A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.

• CVE-2022-1050

  A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. Note: PVRDMA is disabled in buster, but this was fixed preventively in case this changes in the future.

For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u10.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS