Security update for kvm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14704-1 Final 1 1 2021-04-20T12:35:06Z current 2021-04-20T12:35:06Z 2021-04-20T12:35:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kvm This update for kvm fixes the following issues: - Fix OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slessp4-kvm-14704 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ Link for SUSE-SU-2021:14704-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008660.html E-Mail link for SUSE-SU-2021:14704-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172383 SUSE Bug 1172383 https://bugzilla.suse.com/1172384 SUSE Bug 1172384 https://bugzilla.suse.com/1172385 SUSE Bug 1172385 https://bugzilla.suse.com/1172478 SUSE Bug 1172478 https://bugzilla.suse.com/1175441 SUSE Bug 1175441 https://bugzilla.suse.com/1176673 SUSE Bug 1176673 https://bugzilla.suse.com/1176682 SUSE Bug 1176682 https://bugzilla.suse.com/1176684 SUSE Bug 1176684 https://bugzilla.suse.com/1178934 SUSE Bug 1178934 https://bugzilla.suse.com/1179467 SUSE Bug 1179467 https://bugzilla.suse.com/1181108 SUSE Bug 1181108 https://bugzilla.suse.com/1182137 SUSE Bug 1182137 https://bugzilla.suse.com/1182425 SUSE Bug 1182425 https://bugzilla.suse.com/1182577 SUSE Bug 1182577 https://www.suse.com/security/cve/CVE-2014-3689/ SUSE CVE CVE-2014-3689 page https://www.suse.com/security/cve/CVE-2015-1779/ SUSE CVE CVE-2015-1779 page https://www.suse.com/security/cve/CVE-2020-12829/ SUSE CVE CVE-2020-12829 page https://www.suse.com/security/cve/CVE-2020-13361/ SUSE CVE CVE-2020-13361 page https://www.suse.com/security/cve/CVE-2020-13362/ SUSE CVE CVE-2020-13362 page https://www.suse.com/security/cve/CVE-2020-13765/ SUSE CVE CVE-2020-13765 page https://www.suse.com/security/cve/CVE-2020-14364/ SUSE CVE CVE-2020-14364 page https://www.suse.com/security/cve/CVE-2020-25084/ SUSE CVE CVE-2020-25084 page https://www.suse.com/security/cve/CVE-2020-25624/ SUSE CVE CVE-2020-25624 page https://www.suse.com/security/cve/CVE-2020-25625/ SUSE CVE CVE-2020-25625 page https://www.suse.com/security/cve/CVE-2020-25723/ SUSE CVE CVE-2020-25723 page https://www.suse.com/security/cve/CVE-2020-29130/ SUSE CVE CVE-2020-29130 page https://www.suse.com/security/cve/CVE-2020-29443/ SUSE CVE CVE-2020-29443 page https://www.suse.com/security/cve/CVE-2021-20181/ SUSE CVE CVE-2021-20181 page https://www.suse.com/security/cve/CVE-2021-20257/ SUSE CVE CVE-2021-20257 page SUSE Linux Enterprise Server 11 SP4-LTSS kvm-1.4.2-60.34.1 kvm-1.4.2-60.34.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. CVE-2014-3689 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2014-3689.html CVE-2014-3689 https://bugzilla.suse.com/1072223 SUSE Bug 1072223 https://bugzilla.suse.com/1189862 SUSE Bug 1189862 https://bugzilla.suse.com/901508 SUSE Bug 901508 https://bugzilla.suse.com/962611 SUSE Bug 962611 The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. CVE-2015-1779 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2015-1779.html CVE-2015-1779 https://bugzilla.suse.com/924018 SUSE Bug 924018 https://bugzilla.suse.com/962632 SUSE Bug 962632 In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. CVE-2020-12829 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-12829.html CVE-2020-12829 https://bugzilla.suse.com/1172385 SUSE Bug 1172385 In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVE-2020-13361 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 low 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-13361.html CVE-2020-13361 https://bugzilla.suse.com/1172384 SUSE Bug 1172384 In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVE-2020-13362 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-13362.html CVE-2020-13362 https://bugzilla.suse.com/1172383 SUSE Bug 1172383 rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. CVE-2020-13765 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-13765.html CVE-2020-13765 https://bugzilla.suse.com/1172478 SUSE Bug 1172478 An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. CVE-2020-14364 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-14364.html CVE-2020-14364 https://bugzilla.suse.com/1175441 SUSE Bug 1175441 https://bugzilla.suse.com/1175534 SUSE Bug 1175534 https://bugzilla.suse.com/1176494 SUSE Bug 1176494 https://bugzilla.suse.com/1177130 SUSE Bug 1177130 QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-25084 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-25084.html CVE-2020-25084 https://bugzilla.suse.com/1176673 SUSE Bug 1176673 hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. CVE-2020-25624 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-25624.html CVE-2020-25624 https://bugzilla.suse.com/1176682 SUSE Bug 1176682 hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. CVE-2020-25625 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 low 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-25625.html CVE-2020-25625 https://bugzilla.suse.com/1176684 SUSE Bug 1176684 A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. CVE-2020-25723 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-25723.html CVE-2020-25723 https://bugzilla.suse.com/1178934 SUSE Bug 1178934 https://bugzilla.suse.com/1178935 SUSE Bug 1178935 slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29130 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-29130.html CVE-2020-29130 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1179467 SUSE Bug 1179467 https://bugzilla.suse.com/1179477 SUSE Bug 1179477 ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. CVE-2020-29443 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2020-29443.html CVE-2020-29443 https://bugzilla.suse.com/1181108 SUSE Bug 1181108 A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. CVE-2021-20181 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2021-20181.html CVE-2021-20181 https://bugzilla.suse.com/1182137 SUSE Bug 1182137 An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2021-20257 SUSE Linux Enterprise Server 11 SP4-LTSS:kvm-1.4.2-60.34.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114704-1/ https://www.suse.com/security/cve/CVE-2021-20257.html CVE-2021-20257 https://bugzilla.suse.com/1182577 SUSE Bug 1182577 https://bugzilla.suse.com/1182846 SUSE Bug 1182846