[manjaro-security] [ASA-202012-26] qemu: multiple issues

Morten Linderud via arch-security arch-security at lists.archlinux.org
Thu Dec 31 14:14:05 CET 2020

Arch Linux Security Advisory ASA-202012-26

Severity: Medium
Date    : 2020-12-16
CVE-ID  : CVE-2020-14364 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
Package : qemu
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1300


The package qemu before version 5.2.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.


Upgrade to 5.2.0-1.

# pacman -Syu "qemu>=5.2.0-1"

The problems have been fixed upstream in version 5.2.0.




- CVE-2020-14364 (arbitrary code execution)

An out-of-bounds read/write access flaw was found in the USB emulator
of the QEMU in versions before 5.2.0. This issue occurs while
processing USB packets from a guest when USBDevice 'setup_len' exceeds
its 'data_buf[4096]' in the do_token_in, do_token_out routines. This
flaw allows a guest user to crash the QEMU process, resulting in a
denial of service, or the potential execution of arbitrary code with
the privileges of the QEMU process on the host.

- CVE-2020-25624 (arbitrary code execution)

A flaw was found in QEMU before version 5.2.0. An out-of-bounds
read/write access issue was found in the USB OHCI controller emulator.
The issue could occur while servicing transfer descriptors (TD), as
OHCI controller derives variables 'start_addr', 'end_addr', and 'len'
from values supplied by the host controller driver. The host controller
driver may supply values such that using these variables leads to an
out-of-bounds access issue leading to a guest user/process using this
flaw to crash the QEMU process on the host resulting in a denial of
service (DoS) scenario. The highest threat from this vulnerability is
to data confidentiality and integrity as well as system availability.

- CVE-2020-25625 (denial of service)

An infinite loop issue was found in the USB OHCI controller emulator of
QEMU before version 5.2.0. It could occur while servicing OHCI
isochronous transfer descriptors (TD) in ohci_service_iso_td routine,
as it retires a TD if it has passed its time frame. While doing so it
does not check if the TD was already processed ones and holds an error
code in TD_CC. It may happen if the TD list has a loop.

A guest user/process may use this flaw to consume cpu cycles on the
host resulting in a DoS scenario.

- CVE-2020-25723 (denial of service)

A reachable assertion issue was found in the USB EHCI emulation code of
QEMU before version 5.2.0. It could occur while processing USB requests
due to missing handling of DMA memory map failure. A malicious
privileged user within the guest may abuse this flaw to send bogus USB
requests and crash the QEMU process on the host, resulting in a denial
of service.

- CVE-2020-28916 (denial of service)

An infinite loop issue was found in the e1000e device emulator in QEMU
before version 5.2.0. The issue could occur while receiving packets via
e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor
has NULL buffer address. A privileged guest user may use this flaw to
induce a DoS scenario on the host.


A guest might be able to cause a denial of service or execute arbitrary
code on the host.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20201231/1c0b456d/attachment-0001.sig>

More information about the manjaro-security mailing list