MGASA-2024-0387 - Updated qemu packages fix security vulnerabilities

Publication date: 04 Dec 2024
URL: https://advisories.mageia.org/MGASA-2024-0387.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2023-1544,
     CVE-2023-3019,
     CVE-2023-3255,
     CVE-2023-5088,
     CVE-2023-6683,
     CVE-2023-6693,
     CVE-2023-42467,
     CVE-2024-24474,
     CVE-2024-26327,
     CVE-2024-26328,
     CVE-2024-3446,
     CVE-2024-3447,
     CVE-2024-4467,
     CVE-2024-7409,
     CVE-2024-8354,
     CVE-2024-8612

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA
device. This flaw allows a crafted guest driver to allocate and
initialize a huge number of page tables to be used as a ring of
descriptors for CQ and async events, potentially leading to an
out-of-bounds read and crash of QEMU. (CVE-2023-1544)
A DMA reentrancy issue leading to a use-after-free error was found in
the e1000e NIC emulation code in QEMU. This issue could allow a
privileged guest user to crash the QEMU process on the host, resulting
in a denial of service. (CVE-2023-3019)
A flaw was found in the QEMU built-in VNC server while processing
ClientCutText messages. A wrong exit condition may lead to an infinite
loop when inflating an attacker controlled zlib buffer in the
`inflate_buffer` function. This could allow a remote authenticated
client who is able to send a clipboard to the VNC server to trigger a
denial of service. (CVE-2023-3255)
A bug in QEMU could cause a guest I/O operation otherwise addressed to
an arbitrary disk offset to be targeted to offset 0 instead (potentially
overwriting the VM's boot code). This could be used, for example, by L2
guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1
(vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1,
potentially gaining control of L1 at its next reboot. (CVE-2023-5088)
A flaw was found in the QEMU built-in VNC server while processing
ClientCutText messages. The qemu_clipboard_request() function can be
reached before vnc_server_cut_text_caps() was called and had the chance
to initialize the clipboard peer, leading to a NULL pointer dereference.
This could allow a malicious authenticated VNC client to crash QEMU and
trigger a denial of service. (CVE-2023-6683)
A stack based buffer overflow was found in the virtio-net device of
QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx
function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1
and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious
user to overwrite local variables allocated on the stack. Specifically,
the `out_sg` variable could be used to read a part of process memory and
send it to the wire, causing an information leak. (CVE-2023-6693)
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset
in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not
prevent s->qdev.blocksize from being 256. This stops QEMU and the guest
immediately. (CVE-2023-42467)
QEMU before 8.2.0 has an integer underflow, and resultant buffer
overflow, via a TI command when an expected non-DMA transfer length is
less than the length of the available FIFO data. This occurs in
esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
(CVE-2024-24474)
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs
greater than TotalVFs, leading to a buffer overflow in VF
implementations. (CVE-2024-26327)
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus
interaction with hw/nvme/ctrl.c is mishandled. (CVE-2024-26328)
A double free vulnerability was found in QEMU virtio devices
(virtio-gpu, virtio-serial-bus, virtio-crypto), where the
mem_reentrancy_guard flag insufficiently protects against DMA reentrancy
issues. This issue could allow a malicious privileged guest user to
crash the QEMU process on the host, resulting in a denial of service or
allow arbitrary code execution within the context of the QEMU process on
the host. (CVE-2024-3446)
A heap-based buffer overflow was found in the SDHCI device emulation of
QEMU. The bug is triggered when both `s->data_count` and the size of
`s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A
malicious guest could use this flaw to crash the QEMU process on the
host, resulting in a denial of service condition. (CVE-2024-3447)
A flaw was found in the QEMU disk image utility (qemu-img) 'info'
command. A specially crafted image file containing a `json:{}` value
describing block devices in QMP could cause the qemu-img process on the
host to consume large amounts of memory or CPU time, leading to denial
of service or read/write to an existing external file. (CVE-2024-4467)
A flaw was found in the QEMU NBD Server. This vulnerability allows a
denial of service (DoS) attack via improper synchronization during
socket closure when a client keeps a socket open as the server is taken
offline. (CVE-2024-7409)
A flaw was found in QEMU. An assertion failure was present in the
usb_ep_get() function in hw/net/core.c when trying to get the USB
endpoint from a USB device. This flaw may allow a malicious unprivileged
guest user to crash the QEMU process on the host and cause a denial of
service condition. (CVE-2024-8354)
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and
virtio-crypto devices. The size for virtqueue_push as set in
virtio_scsi_complete_req / virtio_blk_req_complete /
virito_crypto_req_complete could be larger than the true size of the
data which has been sent to guest. Once virtqueue_push() finally calls
dma_memory_unmap to ummap the in_iov, it may call the
address_space_write function to write back the data. Some uninitialized
data may exist in the bounce.buffer, leading to an information leak.
(CVE-2024-8612)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33074
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ES5DXAAMYUC767MUW4BPRP6ZPDL6SUW6/
- https://lists.suse.com/pipermail/sle-updates/2024-April/035064.html
- https://lwn.net/Articles/971720/
- https://lists.suse.com/pipermail/sle-updates/2024-August/036644.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HL7L7OSCUZ44UAQCOB6IUOFBWKV6ECP2/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1544
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3019
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3255
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5088
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6683
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6693
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42467
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24474
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26327
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26328
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3446
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3447
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7409
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8354
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8612

SRPMS:
- 9/core/qemu-7.2.15-1.mga9

Mageia 2024-0387: qemu Security Advisory Updates

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device

Summary

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU. (CVE-2023-1544) A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. (CVE-2023-3019) A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. (CVE-2023-3255) A bug in QEMU could cause a guest I/O operation otherwise addre...

References

- https://bugs.mageia.org/show_bug.cgi?id=33074

- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ES5DXAAMYUC767MUW4BPRP6ZPDL6SUW6/

- https://lists.suse.com/pipermail/sle-updates/2024-April/035064.html

- https://lwn.net/Articles/971720/

- https://lists.suse.com/pipermail/sle-updates/2024-August/036644.html

- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HL7L7OSCUZ44UAQCOB6IUOFBWKV6ECP2/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1544

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3019

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3255

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5088

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6683

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6693

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42467

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24474

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26327

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26328

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3446

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3447

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7409

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8354

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8612

Resolution

MGASA-2024-0387 - Updated qemu packages fix security vulnerabilities

SRPMS

- 9/core/qemu-7.2.15-1.mga9

Severity
Publication date: 04 Dec 2024
URL: https://advisories.mageia.org/MGASA-2024-0387.html
Type: security
CVE: CVE-2023-1544, CVE-2023-3019, CVE-2023-3255, CVE-2023-5088, CVE-2023-6683, CVE-2023-6693, CVE-2023-42467, CVE-2024-24474, CVE-2024-26327, CVE-2024-26328, CVE-2024-3446, CVE-2024-3447, CVE-2024-4467, CVE-2024-7409, CVE-2024-8354, CVE-2024-8612

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved