[ubuntu/groovy-security] qemu 1:5.0-5ubuntu9.9 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Thu Jul 15 17:27:21 UTC 2021

qemu (1:5.0-5ubuntu9.9) groovy-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in MemoryRegionOps object
    - debian/patches/CVE-2020-15469-1.patch: add pci-intack write method in
    - debian/patches/CVE-2020-15469-2.patch: add pcie-msi read method in
    - debian/patches/CVE-2020-15469-3.patch: add quirk device write method
      in hw/vfio/pci-quirks.c.
    - debian/patches/CVE-2020-15469-4.patch: add ppc-parity write method in
    - debian/patches/CVE-2020-15469-5.patch: add nrf51_soc flash read
      method in hw/nvram/nrf51_nvm.c.
    - debian/patches/CVE-2020-15469-6.patch: add spapr msi read method in
    - debian/patches/CVE-2020-15469-7.patch: add dummy read/write methods
      in hw/misc/tz-ppc.c.
    - debian/patches/CVE-2020-15469-8.patch: add digprog mmio write method
      in hw/misc/imx7_ccm.c.
    - CVE-2020-15469
  * SECURITY UPDATE: NULL pointer dereference flaw in SCSI emulation
    - debian/patches/CVE-2020-35504.patch: always check current_req is not
      NULL before use in DMA callbacks in hw/scsi/esp.c.
    - CVE-2020-35504
  * SECURITY UPDATE: NULL pointer dereference flaw in am53c974 SCSI
    - debian/patches/CVE-2020-35505.patch: ensure cmdfifo is not empty and
      current_dev is non-NULL in hw/scsi/esp.c.
    - CVE-2020-35505
  * SECURITY UPDATE: host privilege escalation issue in virtio-fs
    - debian/patches/CVE-2020-35517-1.patch: extract lo_do_open() from
      lo_open() in tools/virtiofsd/passthrough_ll.c.
    - debian/patches/CVE-2020-35517-2.patch: optionally return inode
      pointer from lo_do_lookup() in tools/virtiofsd/passthrough_ll.c.
    - debian/patches/CVE-2020-35517-3.patch: prevent opening of special
      files in tools/virtiofsd/passthrough_ll.c.
    - CVE-2020-35517
  * SECURITY UPDATE: use-after-free flaw was found in the MegaRAID emulator
    - debian/patches/CVE-2021-3392.patch: Remove unused MPTSASState pending
      field in hw/scsi/mptsas.c, hw/scsi/mptsas.h.
    - CVE-2021-3392
  * SECURITY UPDATE: out-of-bounds read/write in SDHCI controller emulation
    - debian/patches/CVE-2021-3409-1.patch: don't transfer any data when
      command time out in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-2.patch: don't write to SDHC_SYSAD
      register when transfer is in progress in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-3.patch: correctly set the controller
      status for ADMA in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-4.patch: limit block size only when
      SDHC_BLKSIZE register is writable in hw/sd/sdhci.c.
    - debian/patches/CVE-2021-3409-5.patch: reset the data pointer of
      s->fifo_buffer[] when a different block size is programmed in
    - CVE-2021-3409
  * SECURITY UPDATE: stack overflow via infinite loop issue in various NIC
    - debian/patches/CVE-2021-3416-1.patch: introduce qemu_receive_packet()
      in include/net/net.h, include/net/queue.h, net/net.c, net/queue.c.
    - debian/patches/CVE-2021-3416-2.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/e1000.c.
    - debian/patches/CVE-2021-3416-3.patch: switch to use
      qemu_receive_packet() for loopback packet in hw/net/dp8393x.c.
    - debian/patches/CVE-2021-3416-5.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/sungem.c.
    - debian/patches/CVE-2021-3416-6.patch: switch to use
      qemu_receive_packet_iov() for loopback in hw/net/net_tx_pkt.c.
    - debian/patches/CVE-2021-3416-7.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/rtl8139.c.
    - debian/patches/CVE-2021-3416-8.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/pcnet.c.
    - debian/patches/CVE-2021-3416-9.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/cadence_gem.c.
    - debian/patches/CVE-2021-3416-10.patch: switch to use
      qemu_receive_packet() for loopback in hw/net/lan9118.c.
    - CVE-2021-3416
  * SECURITY UPDATE: DoS in USB redirector device
    - debian/patches/CVE-2021-3527-1.patch: avoid dynamic stack allocation
      in hw/usb/redirect.c.
    - debian/patches/CVE-2021-3527-2.patch: limit combined packets to 1 MiB
      in hw/usb/combined-packet.c.
    - CVE-2021-3527
  * SECURITY UPDATE: multiple issues in virtio vhost-user GPU device
    - debian/patches/CVE-2021-3544-1.patch: fix memory disclosure in
    - debian/patches/CVE-2021-3544-2.patch: fix resource leak in
    - debian/patches/CVE-2021-3544-3.patch: fix memory leak in
    - debian/patches/CVE-2021-3544-4.patch: fix memory leak in
    - debian/patches/CVE-2021-3544-5.patch: fix memory leak in
    - debian/patches/CVE-2021-3544-6.patch: fix memory leak in
    - debian/patches/CVE-2021-3544-7.patch: fix OOB write in
    - debian/patches/CVE-2021-3544-8.patch: abstract vg_cleanup_mapping_iov
      in contrib/vhost-user-gpu/vhost-user-gpu.c,
      contrib/vhost-user-gpu/virgl.c, contrib/vhost-user-gpu/vugpu.h.
    - CVE-2021-3544
    - CVE-2021-3545
    - CVE-2021-3546
  * SECURITY UPDATE: mremap overflow in the pvrdma device
    - debian/patches/CVE-2021-3582.patch: check lengths in
    - CVE-2021-3582
  * SECURITY UPDATE: integer overflow in pvrdma device
    - debian/patches/CVE-2021-3607.patch: ensure correct input on ring init
      in hw/rdma/vmw/pvrdma_main.c.
    - CVE-2021-3607
  * SECURITY UPDATE: uninitialized memory unmap in pvrdma device
    - debian/patches/CVE-2021-3608.patch: fix the ring init error flow in
    - CVE-2021-3608
  * SECURITY UPDATE: out-of-bounds access issue in ARM Generic Interrupt
    - debian/patches/CVE-2021-20221.patch: fix interrupt ID in GICD_SGIR
      register in hw/intc/arm_gic.c.
    - CVE-2021-20221
  * SECURITY UPDATE: infinite loop while processing transmit descriptors
    - debian/patches/CVE-2021-20257.patch: fail early for evil descriptor
      in hw/net/e1000.c.
    - CVE-2021-20257

qemu (1:5.0-5ubuntu9.8) groovy; urgency=medium

  * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails
    on some HW/Guest combinations e.g. Windows 10 on Threadripper chips
    (LP: #1921754)
  * d/p/u/lp-1921880*: add EPYC-Milan features and named cpu type support
    (LP: #1921880)

qemu (1:5.0-5ubuntu9.7) groovy; urgency=medium

  * d/p/u/lp-1921468-*: fix issues handling boot menu index on s390x
    (LP: #1921468)
  * d/p/u/lp-1887535-configure-replace-enable-disable-git-update-with-wit.patch,
    d/rules: Backport --with-git-submodules param so building from git repo
    doesn't fail (LP: #1887535)
  * Fix byte aligned writes when writing to image stored on NFS
    server, as they aren't required to be 4kib aligned. (LP: #1921665)
    - d/p/u/lp-1921665-1-block-Require-aligned-image-size-to-avoid-assert.patch
    - d/p/u/lp-1921665-2-file-posix-Allow-byte-aligned-O_DIRECT-with-NFS.patch

Date: 2021-07-13 11:16:11.136285+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Groovy-changes mailing list