Package "qemu"
| Name: |
qemu
|
Description: |
fast processor emulator
|
| Latest version: |
1:2.11+dfsg-1ubuntu7.42 |
| Release: |
bionic (18.04) |
| Level: |
updates |
| Repository: |
universe |
| Homepage: |
http://www.qemu.org/ |
Links
Download "qemu"
Other versions of "qemu" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
|
qemu (1:2.11+dfsg-1ubuntu7.37) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object
- debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in
hw/pci-host/prep.c.
- debian/patches/CVE-2020-15469-3.patch: add quirk device write method
in hw/vfio/pci-quirks.c.
- debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in
hw/ppc/prep_systemio.c.
- debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in
hw/ppc/spapr_pci.c.
- CVE-2020-15469
* SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation
- debian/patches/CVE-2020-35504.patch: always check current_req is not
NULL before use in DMA callbacks in hw/scsi/esp.c.
- CVE-2020-35504
* SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI
- debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and
current_dev is non-NULL in hw/scsi/esp.c.
- CVE-2020-35505
* SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator
- debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending
field in hw/scsi/mptsas.c, hw/scsi/mptsas.h.
- CVE-2021-3392
* SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation
- debian/patches/CVE-2021-3409-1.patch: don't transfer any data when
command time out in hw/sd/sdhci.c.
- debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD
register when transfer is in progress in hw/sd/sdhci.c.
- debian/patches/CVE-2021-3409-3.patch: correctly set the controller
status for ADMA in hw/sd/sdhci.c.
- debian/patches/CVE-2021-3409-4.patch: limit block size only when
SDHC_BLKSIZE register is writable in hw/sd/sdhci.c.
- debian/patches/CVE-2021-3409-5.patch: reset the data pointer of
s->fifo_buffer[] when a different block size is programmed in
hw/sd/sdhci.c.
- CVE-2021-3409
* SECURITY UPDATE: stack overflow via infinite loop issue in various NIC
- debian/patches/CVE-2021-3416-1.patch: introduce qemu_receive_packet()
in include/net/net.h, include/net/queue.h, net/net.c, net/queue.c.
- debian/patches/CVE-2021-3416-2.patch: switch to use
qemu_receive_packet() for loopback in hw/net/e1000.c.
- debian/patches/CVE-2021-3416-3.patch: switch to use
qemu_receive_packet() for loopback packet in hw/net/dp8393x.c.
- debian/patches/CVE-2021-3416-5.patch: switch to use
qemu_receive_packet() for loopback in hw/net/sungem.c.
- debian/patches/CVE-2021-3416-6.patch: switch to use
qemu_receive_packet_iov() for loopback in hw/net/net_tx_pkt.c.
- debian/patches/CVE-2021-3416-7.patch: switch to use
qemu_receive_packet() for loopback in hw/net/rtl8139.c.
- debian/patches/CVE-2021-3416-8.patch: switch to use
qemu_receive_packet() for loopback in hw/net/pcnet.c.
- debian/patches/CVE-2021-3416-9.patch: switch to use
qemu_receive_packet() for loopback in hw/net/cadence_gem.c.
- debian/patches/CVE-2021-3416-10.patch: switch to use
qemu_receive_packet() for loopback in hw/net/lan9118.c.
- CVE-2021-3416
* SECURITY UPDATE: DoS in USB redirector device
- debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation
in hw/usb/redirect.c.
- debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB
in hw/usb/combined-packet.c.
- CVE-2021-3527
* SECURITY UPDATE: out-of-bounds access issue in ARM Generic Interrupt
Controller
- debian/patches/CVE-2021-20221.patch: fix interrupt ID in GICD_SGIR
register in hw/intc/arm_gic.c.
- CVE-2021-20221
* SECURITY UPDATE: infinite loop while processing transmit descriptors
- debian/patches/CVE-2021-20257.patch: fail early for evil descriptor
in hw/net/e1000.c.
- CVE-2021-20257
* SECURITY UPDATE: data leak in bootp_input()
- debian/patches/CVE-2021-3592-pre1.patch: add sanity check for str
option length to slirp/bootp.c.
- debian/patches/CVE-2021-3592-1.patch: add mtod_check() to
slirp/mbuf.*.
- debian/patches/CVE-2021-3592-2.patch: limit vendor-specific area to
input packet memory buffer in slirp/bootp.*, slirp/mbuf.*.
- debian/patches/CVE-2021-3592-3.patch: check bootp_input buffer size
in slirp/bootp.c.
- debian/patches/CVE-2021-3592-4.patch: fix regression in dhcp in
slirp/bootp.c.
- CVE-2021-3592
* SECURITY UPDATE: data leak in udp6_input()
- debian/patches/CVE-2021-3593.patch: check udp6_input buffer size in
slirp/udp6.c.
- CVE-2021-3593
* SECURITY UPDATE: data leak in udp_input()
- debian/patches/CVE-2021-3594.patch: check upd_input buffer size in
slirp/udp.c.
- CVE-2021-3594
* SECURITY UPDATE: data leak in tftp_input()
- debian/patches/CVE-2021-3595-1.patch: check tftp_input buffer size in
slirp/tftp.c.
- debian/patches/CVE-2021-3595-2.patch: introduce a header structure in
slirp/tftp.*.
- CVE-2021-3595
-- Marc Deslauriers <email address hidden> Tue, 13 Jul 2021 07:51:34 -0400
|
| Source diff to previous version |
| CVE-2020-15469 |
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. |
| CVE-2020-35504 |
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to |
| CVE-2020-35505 |
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while h |
| CVE-2021-3392 |
A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas |
| CVE-2021-3409 |
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues pr |
| CVE-2021-3416 |
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs |
| CVE-2021-3527 |
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce th |
| CVE-2021-20221 |
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 |
| CVE-2021-20257 |
net: e1000: infinite loop while processing transmit descriptors |
| CVE-2021-3592 |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and c |
| CVE-2021-3593 |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and co |
| CVE-2021-3594 |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and cou |
| CVE-2021-3595 |
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and co |
|
|
qemu (1:2.11+dfsg-1ubuntu7.36) bionic-security; urgency=medium
* SECURITY REGRESSION: fix multiple regressions caused by CVE-2020-13754
security update (LP: #1914883)
- debian/patches/CVE-2020-13754-3.patch: log invalid memory accesses in
memory.c.
- debian/patches/CVE-2020-13754-5.patch: allow 64-bit accesses in
hw/timer/slavio_timer.c.
- debian/patches/CVE-2020-13754-6.patch: allow less than 32-bit
accesses in hw/char/bcm2835_aux.c.
- debian/patches/CVE-2020-13754-9.patch: fix valid.max_access_size to
access address registers in hw/usb/hcd-xhci.c.
-- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 08:37:38 -0500
|
| Source diff to previous version |
| 1914883 |
hart0: trap handler failed (error -2) (Needs cherry-pick ab3d207f) |
| CVE-2020-13754 |
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. |
|
|
qemu (1:2.11+dfsg-1ubuntu7.35) bionic-security; urgency=medium
* SECURITY UPDATE: heap overread in iscsi_aio_ioctl_cb
- debian/patches/CVE-2020-11947.patch: fix heap-buffer-overflow in
block/iscsi.c.
- CVE-2020-11947
* SECURITY UPDATE: use-after-free in e1000e
- debian/patches/CVE-2020-15859.patch: forbid the reentrant RX in
net/queue.c.
- CVE-2020-15859
* SECURITY UPDATE: infinite loop in e1000e
- debian/patches/CVE-2020-28916.patch: advance desc_offset in case of
null descriptor in hw/net/e1000e_core.c.
- CVE-2020-28916
* SECURITY UPDATE: out of bounds read in atapi
- debian/patches/CVE-2020-29443-1.patch: assert that the buffer pointer
is in range in hw/ide/atapi.c.
- debian/patches/CVE-2020-29443-2.patch: check logical block address
and read size in hw/ide/atapi.c.
- CVE-2020-29443
* SECURITY UPDATE: use after free in 9p
- debian/patches/CVE-2021-20181.patch: fully restart unreclaim loop in
hw/9pfs/9p.c.
- CVE-2021-20181
-- Marc Deslauriers <email address hidden> Wed, 03 Feb 2021 12:46:34 -0500
|
| Source diff to previous version |
| CVE-2020-11947 |
iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an |
| CVE-2020-15859 |
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000 |
| CVE-2020-28916 |
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address. |
| CVE-2020-29443 |
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. |
| CVE-2021-20181 |
9pfs: Fully restart unreclaim loop |
|
|
qemu (1:2.11+dfsg-1ubuntu7.34) bionic-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
- debian/patches/CVE-2020-17380.patch: fix DMA Transfer Block Size
field in hw/sd/sdhci.c.
- CVE-2020-17380
- CVE-2020-25085
* SECURITY UPDATE: use-after-free via unchecked return value
- debian/patches/CVE-2020-25084.patch: check return value of
'usb_packet_map' in hw/usb/hcd-xhci.c.
- CVE-2020-25084
* SECURITY UPDATE: out-of-bound access issue
- debian/patches/CVE-2020-25624.patch: check len and frame_number
variables in hw/usb/hcd-ohci.c.
- CVE-2020-25624
* SECURITY UPDATE: infinite loop when a TD list has a loop
- debian/patches/CVE-2020-25625.patch: check for processed TD before
retire in hw/usb/hcd-ohci.c.
- CVE-2020-25625
* SECURITY UPDATE: assertion failure through usb_packet_unmap()
- debian/patches/CVE-2020-25723.patch: check return value of
'usb_packet_map' in hw/usb/hcd-ehci.c.
- CVE-2020-25723
* SECURITY UPDATE: assertion failure
- debian/patches/CVE-2020-27617.patch: remove an assert call in
eth_get_gso_type in net/eth.c.
- CVE-2020-27617
-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2020 08:15:55 -0500
|
| Source diff to previous version |
| CVE-2020-17380 |
heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c |
| CVE-2020-25085 |
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZ |
| CVE-2020-25084 |
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. |
| CVE-2020-25624 |
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via ... |
| CVE-2020-25625 |
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. |
| CVE-2020-25723 |
assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c |
| CVE-2020-27617 |
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data |
|
|
qemu (1:2.11+dfsg-1ubuntu7.33) bionic; urgency=medium
* d/p/u/lp-1894942-*: fix virtio-ccw host/guest notification (LP: #1894942)
-- Christian Ehrhardt <email address hidden> Mon, 21 Sep 2020 15:39:32 +0200
|
| 1894942 |
[UBUNTU 20.04] Lost virtio host --\u003e guest notifications cause devices to cease normal operation |
|
About
-
Send Feedback to @ubuntu_updates
