[ubuntu/bionic-security] qemu 1:2.11+dfsg-1ubuntu7.37 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Jul 15 17:27:23 UTC 2021 

qemu (1:2.11+dfsg-1ubuntu7.37) bionic-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object
    - debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in
      hw/pci-host/prep.c.
    - debian/patches/CVE-2020-15469-3.patch: add quirk device write method
      in hw/vfio/pci-quirks.c.
    - debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in
      hw/ppc/prep_systemio.c.
    - debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in
      hw/ppc/spapr_pci.c.
    - CVE-2020-15469
  * SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation
    - debian/patches/CVE-2020-35504.patch: always check current_req is not
      NULL before use in DMA callbacks in hw/scsi/esp.c.
    - CVE-2020-35504
  * SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI
    - debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and
      current_dev is non-NULL in hw/scsi/esp.c.
    - CVE-2020-35505
  * SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator
    - debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending
      field in hw/scsi/mptsas.c, hw/scsi/mptsas.h.
    - CVE-2021-3392
  * SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation
    - debian/patches/CVE-2021-3409-1.patch: don't transfer any data when
      command time out in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD
      register when transfer is in progress in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-3.patch: correctly set the controller
      status for ADMA in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-4.patch: limit block size only when
      SDHC_BLKSIZE register is writable in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-5.patch: reset the data pointer of
      s->fifo_buffer[] when a different block size is programmed in
      hw/sd/sdhci.c.
    - CVE-2021-3409
  * SECURITY UPDATE: stack overflow via infinite loop issue in various NIC
    - debian/patches/CVE-2021-3416-1.patch: introduce qemu_receive_packet()
      in include/net/net.h, include/net/queue.h, net/net.c, net/queue.c.
    - debian/patches/CVE-2021-3416-2.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/e1000.c.
    - debian/patches/CVE-2021-3416-3.patch: switch to use
      qemu_receive_packet() for loopback packet in hw/net/dp8393x.c.
    - debian/patches/CVE-2021-3416-5.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/sungem.c.
    - debian/patches/CVE-2021-3416-6.patch: switch to use
      qemu_receive_packet_iov() for loopback in hw/net/net_tx_pkt.c.
    - debian/patches/CVE-2021-3416-7.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/rtl8139.c.
    - debian/patches/CVE-2021-3416-8.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/pcnet.c.
    - debian/patches/CVE-2021-3416-9.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/cadence_gem.c.
    - debian/patches/CVE-2021-3416-10.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/lan9118.c.
    - CVE-2021-3416
  * SECURITY UPDATE: DoS in USB redirector device
    - debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation
      in hw/usb/redirect.c.
    - debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB
      in hw/usb/combined-packet.c.
    - CVE-2021-3527
  * SECURITY UPDATE: out-of-bounds access issue in ARM Generic Interrupt
    Controller
    - debian/patches/CVE-2021-20221.patch: fix interrupt ID in GICD_SGIR
      register in hw/intc/arm_gic.c.
    - CVE-2021-20221
  * SECURITY UPDATE: infinite loop while processing transmit descriptors
    - debian/patches/CVE-2021-20257.patch: fail early for evil descriptor
      in hw/net/e1000.c.
    - CVE-2021-20257
  * SECURITY UPDATE: data leak in bootp_input()
    - debian/patches/CVE-2021-3592-pre1.patch: add sanity check for str
      option length to slirp/bootp.c.
    - debian/patches/CVE-2021-3592-1.patch: add mtod_check() to
      slirp/mbuf.*.
    - debian/patches/CVE-2021-3592-2.patch: limit vendor-specific area to
      input packet memory buffer in slirp/bootp.*, slirp/mbuf.*.
    - debian/patches/CVE-2021-3592-3.patch: check bootp_input buffer size
      in slirp/bootp.c.
    - debian/patches/CVE-2021-3592-4.patch: fix regression in dhcp in
      slirp/bootp.c.
    - CVE-2021-3592
  * SECURITY UPDATE: data leak in udp6_input()
    - debian/patches/CVE-2021-3593.patch: check udp6_input buffer size in
      slirp/udp6.c.
    - CVE-2021-3593
  * SECURITY UPDATE: data leak in udp_input()
    - debian/patches/CVE-2021-3594.patch: check upd_input buffer size in
      slirp/udp.c.
    - CVE-2021-3594
  * SECURITY UPDATE: data leak in tftp_input()
    - debian/patches/CVE-2021-3595-1.patch: check tftp_input buffer size in
      slirp/tftp.c.
    - debian/patches/CVE-2021-3595-2.patch: introduce a header structure in
      slirp/tftp.*.
    - CVE-2021-3595

Date: 2021-07-13 15:10:11.794495+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.37
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list