Security update for kvm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14706-1 Final 1 1 2021-04-23T15:32:45Z current 2021-04-23T15:32:45Z 2021-04-23T15:32:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kvm This update for kvm fixes the following issues: - Fix OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c (CVE-2020-12829, bsc#1172385) - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) - Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934) - Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673) - Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682) - Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684) - Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108) - Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) - Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467) - Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441) - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Fix use-after-free in slirp (CVE-2019-15890 bsc#1149811) - Fix for similar problems as for the original fix prompting this issue (CVE-2019-6778 bsc#1123156) - Fix potential OOB accesses in slirp (CVE-2020-8608 bsc#1163018 CVE-2020-7039 bsc#1161066) - Fix use after free in slirp (CVE-2020-1983 bsc#1170940) - Fix potential DOS in lsi scsi controller emulation (CVE-2019-12068 bsc#1146873) - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) - Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-kvm-14706 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ Link for SUSE-SU-2021:14706-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008673.html E-Mail link for SUSE-SU-2021:14706-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1123156 SUSE Bug 1123156 https://bugzilla.suse.com/1146873 SUSE Bug 1146873 https://bugzilla.suse.com/1149811 SUSE Bug 1149811 https://bugzilla.suse.com/1161066 SUSE Bug 1161066 https://bugzilla.suse.com/1163018 SUSE Bug 1163018 https://bugzilla.suse.com/1170940 SUSE Bug 1170940 https://bugzilla.suse.com/1172383 SUSE Bug 1172383 https://bugzilla.suse.com/1172384 SUSE Bug 1172384 https://bugzilla.suse.com/1172385 SUSE Bug 1172385 https://bugzilla.suse.com/1172478 SUSE Bug 1172478 https://bugzilla.suse.com/1175441 SUSE Bug 1175441 https://bugzilla.suse.com/1176673 SUSE Bug 1176673 https://bugzilla.suse.com/1176682 SUSE Bug 1176682 https://bugzilla.suse.com/1176684 SUSE Bug 1176684 https://bugzilla.suse.com/1178934 SUSE Bug 1178934 https://bugzilla.suse.com/1179467 SUSE Bug 1179467 https://bugzilla.suse.com/1181108 SUSE Bug 1181108 https://bugzilla.suse.com/1182137 SUSE Bug 1182137 https://bugzilla.suse.com/1182425 SUSE Bug 1182425 https://bugzilla.suse.com/1182577 SUSE Bug 1182577 https://www.suse.com/security/cve/CVE-2014-3689/ SUSE CVE CVE-2014-3689 page https://www.suse.com/security/cve/CVE-2015-1779/ SUSE CVE CVE-2015-1779 page https://www.suse.com/security/cve/CVE-2019-12068/ SUSE CVE CVE-2019-12068 page https://www.suse.com/security/cve/CVE-2019-15890/ SUSE CVE CVE-2019-15890 page https://www.suse.com/security/cve/CVE-2019-6778/ SUSE CVE CVE-2019-6778 page https://www.suse.com/security/cve/CVE-2020-12829/ SUSE CVE CVE-2020-12829 page https://www.suse.com/security/cve/CVE-2020-13361/ SUSE CVE CVE-2020-13361 page https://www.suse.com/security/cve/CVE-2020-13362/ SUSE CVE CVE-2020-13362 page https://www.suse.com/security/cve/CVE-2020-13765/ SUSE CVE CVE-2020-13765 page https://www.suse.com/security/cve/CVE-2020-14364/ SUSE CVE CVE-2020-14364 page https://www.suse.com/security/cve/CVE-2020-1983/ SUSE CVE CVE-2020-1983 page https://www.suse.com/security/cve/CVE-2020-25084/ SUSE CVE CVE-2020-25084 page https://www.suse.com/security/cve/CVE-2020-25624/ SUSE CVE CVE-2020-25624 page https://www.suse.com/security/cve/CVE-2020-25625/ SUSE CVE CVE-2020-25625 page https://www.suse.com/security/cve/CVE-2020-25723/ SUSE CVE CVE-2020-25723 page https://www.suse.com/security/cve/CVE-2020-29130/ SUSE CVE CVE-2020-29130 page https://www.suse.com/security/cve/CVE-2020-29443/ SUSE CVE CVE-2020-29443 page https://www.suse.com/security/cve/CVE-2020-7039/ SUSE CVE CVE-2020-7039 page https://www.suse.com/security/cve/CVE-2020-8608/ SUSE CVE CVE-2020-8608 page https://www.suse.com/security/cve/CVE-2021-20181/ SUSE CVE CVE-2021-20181 page https://www.suse.com/security/cve/CVE-2021-20257/ SUSE CVE CVE-2021-20257 page SUSE Linux Enterprise Point of Sale 11 SP3 kvm-1.4.2-53.38.1 kvm-1.4.2-53.38.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. CVE-2014-3689 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2014-3689.html CVE-2014-3689 https://bugzilla.suse.com/1072223 SUSE Bug 1072223 https://bugzilla.suse.com/1189862 SUSE Bug 1189862 https://bugzilla.suse.com/901508 SUSE Bug 901508 https://bugzilla.suse.com/962611 SUSE Bug 962611 The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. CVE-2015-1779 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2015-1779.html CVE-2015-1779 https://bugzilla.suse.com/924018 SUSE Bug 924018 https://bugzilla.suse.com/962632 SUSE Bug 962632 In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. CVE-2019-12068 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2019-12068.html CVE-2019-12068 https://bugzilla.suse.com/1146873 SUSE Bug 1146873 https://bugzilla.suse.com/1146874 SUSE Bug 1146874 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. CVE-2019-15890 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2019-15890.html CVE-2019-15890 https://bugzilla.suse.com/1149811 SUSE Bug 1149811 https://bugzilla.suse.com/1149813 SUSE Bug 1149813 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. CVE-2019-6778 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2019-6778.html CVE-2019-6778 https://bugzilla.suse.com/1123156 SUSE Bug 1123156 https://bugzilla.suse.com/1123157 SUSE Bug 1123157 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. CVE-2020-12829 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-12829.html CVE-2020-12829 https://bugzilla.suse.com/1172385 SUSE Bug 1172385 In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVE-2020-13361 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 low 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-13361.html CVE-2020-13361 https://bugzilla.suse.com/1172384 SUSE Bug 1172384 In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVE-2020-13362 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-13362.html CVE-2020-13362 https://bugzilla.suse.com/1172383 SUSE Bug 1172383 rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. CVE-2020-13765 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-13765.html CVE-2020-13765 https://bugzilla.suse.com/1172478 SUSE Bug 1172478 An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. CVE-2020-14364 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-14364.html CVE-2020-14364 https://bugzilla.suse.com/1175441 SUSE Bug 1175441 https://bugzilla.suse.com/1175534 SUSE Bug 1175534 https://bugzilla.suse.com/1176494 SUSE Bug 1176494 https://bugzilla.suse.com/1177130 SUSE Bug 1177130 A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. CVE-2020-1983 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-1983.html CVE-2020-1983 https://bugzilla.suse.com/1170940 SUSE Bug 1170940 QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVE-2020-25084 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-25084.html CVE-2020-25084 https://bugzilla.suse.com/1176673 SUSE Bug 1176673 hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. CVE-2020-25624 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-25624.html CVE-2020-25624 https://bugzilla.suse.com/1176682 SUSE Bug 1176682 hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. CVE-2020-25625 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 low 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-25625.html CVE-2020-25625 https://bugzilla.suse.com/1176684 SUSE Bug 1176684 A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. CVE-2020-25723 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-25723.html CVE-2020-25723 https://bugzilla.suse.com/1178934 SUSE Bug 1178934 https://bugzilla.suse.com/1178935 SUSE Bug 1178935 slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. CVE-2020-29130 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-29130.html CVE-2020-29130 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1179467 SUSE Bug 1179467 https://bugzilla.suse.com/1179477 SUSE Bug 1179477 ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. CVE-2020-29443 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-29443.html CVE-2020-29443 https://bugzilla.suse.com/1181108 SUSE Bug 1181108 tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. CVE-2020-7039 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-7039.html CVE-2020-7039 https://bugzilla.suse.com/1161066 SUSE Bug 1161066 In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. CVE-2020-8608 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2020-8608.html CVE-2020-8608 https://bugzilla.suse.com/1163018 SUSE Bug 1163018 https://bugzilla.suse.com/1163019 SUSE Bug 1163019 A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. CVE-2021-20181 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2021-20181.html CVE-2021-20181 https://bugzilla.suse.com/1182137 SUSE Bug 1182137 An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2021-20257 SUSE Linux Enterprise Point of Sale 11 SP3:kvm-1.4.2-53.38.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114706-1/ https://www.suse.com/security/cve/CVE-2021-20257.html CVE-2021-20257 https://bugzilla.suse.com/1182577 SUSE Bug 1182577 https://bugzilla.suse.com/1182846 SUSE Bug 1182846