UbuntuUpdates.org

Package "qemu-kvm"

Name: qemu-kvm

Description:

QEMU Full virtualization on x86 hardware

Latest version: 1:5.0-5ubuntu9.9
Release: groovy (20.10)
Level: security
Repository: main
Head package: qemu
Homepage: http://www.qemu.org/

Links


Download "qemu-kvm"


Other versions of "qemu-kvm" in Groovy

Repository Area Version
base main 1:5.0-5ubuntu9
updates main 1:5.0-5ubuntu9.9

Changelog

Version: 1:5.0-5ubuntu9.9 2021-07-15 19:06:33 UTC

  qemu (1:5.0-5ubuntu9.9) groovy-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object
    - debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in
      hw/pci-host/prep.c.
    - debian/patches/CVE-2020-15469-2.patch: add pcie-msi read method in
      hw/pci-host/designware.c.
    - debian/patches/CVE-2020-15469-3.patch: add quirk device write method
      in hw/vfio/pci-quirks.c.
    - debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in
      hw/ppc/prep_systemio.c.
    - debian/patches/CVE-2020-15469-5.patch: add nrf51_soc flash read
      method in hw/nvram/nrf51_nvm.c.
    - debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in
      hw/ppc/spapr_pci.c.
    - debian/patches/CVE-2020-15469-7.patch: add dummy read/write methods
      in hw/misc/tz-ppc.c.
    - debian/patches/CVE-2020-15469-8.patch: add digprog mmio write method
      in hw/misc/imx7_ccm.c.
    - CVE-2020-15469
  * SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation
    - debian/patches/CVE-2020-35504.patch: always check current_req is not
      NULL before use in DMA callbacks in hw/scsi/esp.c.
    - CVE-2020-35504
  * SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI
    - debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and
      current_dev is non-NULL in hw/scsi/esp.c.
    - CVE-2020-35505
  * SECURITY UPDATE: host privilege escalation issue in virtio-fs
    - debian/patches/CVE-2020-35517-1.patch: extract lo_do_open() from
      lo_open() in tools/virtiofsd/passthrough_ll.c.
    - debian/patches/CVE-2020-35517-2.patch: optionally return inode
      pointer from lo_do_lookup() in tools/virtiofsd/passthrough_ll.c.
    - debian/patches/CVE-2020-35517-3.patch: prevent opening of special
      files in tools/virtiofsd/passthrough_ll.c.
    - CVE-2020-35517
  * SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator
    - debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending
      field in hw/scsi/mptsas.c, hw/scsi/mptsas.h.
    - CVE-2021-3392
  * SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation
    - debian/patches/CVE-2021-3409-1.patch: don't transfer any data when
      command time out in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD
      register when transfer is in progress in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-3.patch: correctly set the controller
      status for ADMA in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-4.patch: limit block size only when
      SDHC_BLKSIZE register is writable in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-5.patch: reset the data pointer of
      s->fifo_buffer[] when a different block size is programmed in
      hw/sd/sdhci.c.
    - CVE-2021-3409
  * SECURITY UPDATE: stack overflow via infinite loop issue in various NIC
    - debian/patches/CVE-2021-3416-1.patch: introduce qemu_receive_packet()
      in include/net/net.h, include/net/queue.h, net/net.c, net/queue.c.
    - debian/patches/CVE-2021-3416-2.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/e1000.c.
    - debian/patches/CVE-2021-3416-3.patch: switch to use
      qemu_receive_packet() for loopback packet in hw/net/dp8393x.c.
    - debian/patches/CVE-2021-3416-5.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/sungem.c.
    - debian/patches/CVE-2021-3416-6.patch: switch to use
      qemu_receive_packet_iov() for loopback in hw/net/net_tx_pkt.c.
    - debian/patches/CVE-2021-3416-7.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/rtl8139.c.
    - debian/patches/CVE-2021-3416-8.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/pcnet.c.
    - debian/patches/CVE-2021-3416-9.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/cadence_gem.c.
    - debian/patches/CVE-2021-3416-10.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/lan9118.c.
    - CVE-2021-3416
  * SECURITY UPDATE: DoS in USB redirector device
    - debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation
      in hw/usb/redirect.c.
    - debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB
      in hw/usb/combined-packet.c.
    - CVE-2021-3527
  * SECURITY UPDATE: multiple issues in virtio vhost-user GPU device
    - debian/patches/CVE-2021-3544-1.patch: fix memory disclosure in
      contrib/vhost-user-gpu/virgl.c.
    - debian/patches/CVE-2021-3544-2.patch: fix resource leak in
      contrib/vhost-user-gpu/vhost-user-gpu.c.
    - debian/patches/CVE-2021-3544-3.patch: fix memory leak in
      contrib/vhost-user-gpu/vhost-user-gpu.c.
    - debian/patches/CVE-2021-3544-4.patch: fix memory leak in
      contrib/vhost-user-gpu/vhost-user-gpu.c.
    - debian/patches/CVE-2021-3544-5.patch: fix memory leak in
      contrib/vhost-user-gpu/virgl.c.
    - debian/patches/CVE-2021-3544-6.patch: fix memory leak in
      contrib/vhost-user-gpu/virgl.c.
    - debian/patches/CVE-2021-3544-7.patch: fix OOB write in
      contrib/vhost-user-gpu/virgl.c.
    - debian/patches/CVE-2021-3544-8.patch: abstract vg_cleanup_mapping_iov
      in contrib/vhost-user-gpu/vhost-user-gpu.c,
      contrib/vhost-user-gpu/virgl.c, contrib/vhost-user-gpu/vugpu.h.
    - CVE-2021-3544
    - CVE-2021-3545
    - CVE-2021-3546
  * SECURITY UPDATE: mremap overflow in the pvrdma device
    - debian/patches/CVE-2021-3582.patch: check lengths in
      hw/rdma/vmw/pvrdma_cmd.c.
    - CVE-2021-3582
  * SECURITY UPDATE: integer overflow in pvrdma device
    - debian/patches/CVE-2021-3607.patch: ensure correct input on ring init
      in hw/rdma/vmw/pvrdma_main.c.
    - CVE-2021-3607
  * SECURITY UPDATE: uninitialized memory unmap in pvrdma device
    - debian/patches/CVE-2021-3608.patch: fix the ring init error flow in
      hw/rdma/vmw/pvrdma_dev_ring.c.
    - CVE-2021-3608
  * SECURITY UPDATE: o

Source diff to previous version
CVE-2020-15469 In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-35504 A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to
CVE-2020-35505 A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while h
CVE-2020-35517 A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is abl
CVE-2021-3392 A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas
CVE-2021-3409 The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues pr
CVE-2021-3416 A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs
CVE-2021-3527 A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce th
CVE-2021-3544 Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contr
CVE-2021-3545 An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. T
CVE-2021-3546 A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to c
CVE-2021-3582 hw/rdma: Fix possible mremap overflow in the pvrdma device
CVE-2021-3607 pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()
CVE-2021-3608 pvrdma: uninitialized memory unmap in pvrdma_ring_init()
CVE-2021-20221 An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64
CVE-2021-20257 net: e1000: infinite loop while processing transmit descriptors

Version: 1:5.0-5ubuntu9.6 2021-02-24 10:06:26 UTC

  qemu (1:5.0-5ubuntu9.6) groovy-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions caused by CVE-2020-13754
    security update (LP: #1914883)
    - debian/patches/ubuntu/CVE-2020-13754-3.patch: log invalid memory
      accesses in memory.c.
    - debian/patches/ubuntu/CVE-2020-13754-4.patch: allow 16-bit writes to
      memory region in hw/riscv/sifive_test.c.
    - debian/patches/ubuntu/CVE-2020-13754-5.patch: allow 64-bit accesses
      in hw/timer/slavio_timer.c.
    - debian/patches/ubuntu/CVE-2020-13754-6.patch: allow less than 32-bit
      accesses in hw/char/bcm2835_aux.c.
    - debian/patches/ubuntu/CVE-2020-13754-7.patch: unbreak size mismatch
      memory accesses in hw/display/artist.c.

 -- Marc Deslauriers <email address hidden> Wed, 10 Feb 2021 08:10:20 -0500

Source diff to previous version
1914883 hart0: trap handler failed (error -2) (Needs cherry-pick ab3d207f)
CVE-2020-13754 hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.

Version: 1:5.0-5ubuntu9.4 2021-02-08 14:06:41 UTC

  qemu (1:5.0-5ubuntu9.4) groovy-security; urgency=medium

  * SECURITY UPDATE: use-after-free in e1000e
    - debian/patches/ubuntu/CVE-2020-15859.patch: forbid the reentrant RX
      in net/queue.c.
    - CVE-2020-15859
  * SECURITY UPDATE: OOB write to MSI-X table
    - debian/patches/ubuntu/CVE-2020-27821.patch: clamp cached translation
      in case it points to an MMIO region in exec.c.
    - CVE-2020-27821
  * SECURITY UPDATE: infinite loop in e1000e
    - debian/patches/ubuntu/CVE-2020-28916.patch: advance desc_offset in
      case of null descriptor in hw/net/e1000e_core.c.
    - CVE-2020-28916
  * SECURITY UPDATE: out of bounds read in atapi
    - debian/patches/ubuntu/CVE-2020-29443-1.patch: assert that the buffer
      pointer is in range in hw/ide/atapi.c.
    - debian/patches/ubuntu/CVE-2020-29443-2.patch: check logical block
      address and read size in hw/ide/atapi.c.
    - CVE-2020-29443
  * SECURITY UPDATE: use after free in 9p
    - debian/patches/ubuntu/CVE-2021-20181.patch: fully restart unreclaim
      loop in hw/9pfs/9p.c.
    - CVE-2021-20181

 -- Marc Deslauriers <email address hidden> Wed, 03 Feb 2021 10:35:16 -0500

Source diff to previous version
CVE-2020-15859 QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000
CVE-2020-27821 A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds w
CVE-2020-28916 hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29443 ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
CVE-2021-20181 9pfs: Fully restart unreclaim loop

Version: 1:5.0-5ubuntu9.2 2020-11-30 14:07:13 UTC

  qemu (1:5.0-5ubuntu9.2) groovy-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
    - debian/patches/ubuntu/CVE-2020-17380.patch: fix DMA Transfer Block
      Size field in hw/sd/sdhci.c.
    - CVE-2020-17380
    - CVE-2020-25085
  * SECURITY UPDATE: use-after-free via unchecked return value
    - debian/patches/ubuntu/CVE-2020-25084.patch: check return value of
      'usb_packet_map' in hw/usb/hcd-xhci.c.
    - CVE-2020-25084
  * SECURITY UPDATE: out-of-bound access issue
    - debian/patches/ubuntu/CVE-2020-25624.patch: check len and
      frame_number variables in hw/usb/hcd-ohci.c.
    - CVE-2020-25624
  * SECURITY UPDATE: infinite loop when a TD list has a loop
    - debian/patches/ubuntu/CVE-2020-25625.patch: check for processed TD
      before retire in hw/usb/hcd-ohci.c.
    - CVE-2020-25625
  * SECURITY UPDATE: assertion failure through usb_packet_unmap()
    - debian/patches/ubuntu/CVE-2020-25723.patch: check return value of
      'usb_packet_map' in hw/usb/hcd-ehci.c.
    - CVE-2020-25723
  * SECURITY UPDATE: bounds issue in ati_2d_blt
    - debian/patches/ubuntu/CVE-2020-27616.patch: check x y display
      parameter values in hw/display/ati_2d.c.
    - CVE-2020-27616
  * SECURITY UPDATE: assertion failure
    - debian/patches/ubuntu/CVE-2020-27617.patch: remove an assert call in
      eth_get_gso_type in net/eth.c.
    - CVE-2020-27617
  * Assertion failure via zero mmap_min_addr (LP: #1897854)
    - debian/patches/ubuntu/lp1897854-Ensure-mmap_min_addr-is-non-zero.patch:
      ensure mmap_min_addr is non-zero in linux-user/main.c.

 -- Marc Deslauriers <email address hidden> Fri, 20 Nov 2020 08:02:13 -0500

1897854 groovy qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0' failed.
CVE-2020-17380 heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c
CVE-2020-25085 QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZ
CVE-2020-25084 QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-25624 hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via ...
CVE-2020-25625 hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
CVE-2020-25723 assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c
CVE-2020-27616 ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.
CVE-2020-27617 eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data



About   -   Send Feedback to @ubuntu_updates