-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Jul 2020 18:40:28 +0300 Source: qemu Architecture: source Version: 1:2.8+dfsg-6+deb9u10 Distribution: stretch-security Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org> Changed-By: Michael Tokarev <mjt@tls.msk.ru> Closes: 865754 961887 961888 964793 Changes: qemu (1:2.8+dfsg-6+deb9u10) stretch-security; urgency=medium . * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch Fix misuse of libz in VNC disconnect, leading to memory leak Closes: CVE-2019-20382 * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter) Closes: CVE-2019-12068 * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb() * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch Fix another use-after-free in ip_reass() in SLIRP code Closes: CVE-2020-1983 * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch rom_copy() in hw/core/loader.c allows triggering invalid mem copy op. Closes: CVE-2020-13765 * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu devices which uses min_access_size and max_access_size Memory API fields. Also closes: CVE-2020-13791 * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch Closes: #964793 * xhci-fix-valid.max_access_size-to-access-address-registers.patch This is another issue revealed after the CVE-2020-13754 fix * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch CVE-2020-13659: address_space_map in exec.c can trigger a NULL pointer dereference related to BounceBuffer * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c has an OOB read via a crafted reply_queue_head field from a guest OS user * megasas-use-unsigned-type-for-positive-numeric-fields.patch fix other possible cases like in CVE-2020-13362 (#961887) * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs time-to-use) issues reading various parameters from guest-supplied frame: megasas-do-not-read-sense-length-more-than-once-from-frame.patch megasas-do-not-read-iovec-count-more-than-once-from-frame.patch megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch megasas-do-not-read-command-more-than-once-from-frame.patch megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch possible NULL-pointer dereferece caused by privileged guest user megasas hba command processing. Closes: #865754, CVE-2017-9503 * megasas-fix-possible-out-of-bounds-array-access.patch Some tracepoints use a guest-controlled value as an index into the mfi_frame_desc[] array. Thus a malicious guest could cause a very low impact OOB errors here * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply() * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch (and a preparational patch, slirp-add-fmt-helpers.patch) Closes: CVE-2020-8608 * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch ARM-only XGMAC NIC, possible buffer overflow during packet transmission Closes: CVE-2020-15863 Checksums-Sha1: a2af9f53ffd7bff180504dfd2e76f3fc61eb048f 5583 qemu_2.8+dfsg-6+deb9u10.dsc 6471731adf873823bf127460af01aee5a74dd0d3 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz 264fdfed79a69ae6f32047bb878296b41106ae35 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo Checksums-Sha256: e1ce6086242c33c8e89ee0d00f337767726b6df3ffc5e130bbde73af760f52bc 5583 qemu_2.8+dfsg-6+deb9u10.dsc 22c9754e755e9eaf3c223e0f3f2052a4bbef569acb231041324ec61b49ae14a1 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz d46495e38bffb5cf3c81df687a0eb74e3270f3fd1b41d7b957a88137f00bda05 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo Files: 8662bffda9502d73c5a4f672ceaf8e98 5583 otherosfs optional qemu_2.8+dfsg-6+deb9u10.dsc fdf946e1d0da2f0b03d9da44a960f921 184208 otherosfs optional qemu_2.8+dfsg-6+deb9u10.debian.tar.xz a5fc87fff870b41ede5b7ee5891ca2bb 7945 otherosfs optional qemu_2.8+dfsg-6+deb9u10_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl8cXcEPHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5ZHA0H/2I1JC5tRlVEBYUxNgwm4J6PFpiFztczPVwF 7n5MsUXQ0Da+arlsPvF3e1wKs94vulBlNQYjrw87UB+1AgUZ9XAFX6OgJ9VTEPVR afxH3P9sbFwtJwmH1WKJwHgIGYTMnroJBmGTJdMPgNyFR7eyMggE7QfByelIwKu/ empHWCeU9X8PYYPXQEujL7kPdyt1HVpz+J6+7crnORLJmZZVeBQISLuj2DV1BzDd 3BvVpU4o1sv0dQtvp8vEKwbiFF4eSFP5KMC2WvDtJXhWei3NjSsqkzZ+5y0RtAm3 FvZF5xAhQ2Kh6VuLW/QiUbTKpHBR0g1YHHgzCoUDA2c6lDe8R3A= =jpi7 -----END PGP SIGNATURE-----