There are 35 open security issues in buster.
9 important issues:
- CVE-2020-27821:
A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
- CVE-2021-20181:
- CVE-2021-20203:
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
- CVE-2021-20221:
- CVE-2021-20255:
- CVE-2021-20257:
- CVE-2021-3392:
- CVE-2021-3409:
- CVE-2021-3416:
25 issues left for the package maintainer to handle:
- CVE-2019-12067:
(postponed; to be fixed through a stable update)
- CVE-2020-13253:
(postponed; to be fixed through a stable update)
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
- CVE-2020-14394:
(postponed; to be fixed through a stable update)
- CVE-2020-15469:
(postponed; to be fixed through a stable update)
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
- CVE-2020-15859:
(postponed; to be fixed through a stable update)
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
- CVE-2020-17380:
(postponed; to be fixed through a stable update)
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
- CVE-2020-25084:
(postponed; to be fixed through a stable update)
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
- CVE-2020-25085:
(postponed; to be fixed through a stable update)
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
- CVE-2020-25624:
(postponed; to be fixed through a stable update)
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
- CVE-2020-25625:
(postponed; to be fixed through a stable update)
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
- CVE-2020-25723:
(postponed; to be fixed through a stable update)
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
- CVE-2020-25741:
(postponed; to be fixed through a stable update)
fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
- CVE-2020-25742:
(postponed; to be fixed through a stable update)
pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
- CVE-2020-25743:
(postponed; to be fixed through a stable update)
hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
- CVE-2020-27617:
(postponed; to be fixed through a stable update)
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
- CVE-2020-27661:
(postponed; to be fixed through a stable update)
- CVE-2020-28916:
(postponed; to be fixed through a stable update)
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
- CVE-2020-29129:
(postponed; to be fixed through a stable update)
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
- CVE-2020-29130:
(postponed; to be fixed through a stable update)
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
- CVE-2020-29443:
(postponed; to be fixed through a stable update)
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
- CVE-2020-35503:
(postponed; to be fixed through a stable update)
- CVE-2020-35504:
(postponed; to be fixed through a stable update)
- CVE-2020-35505:
(postponed; to be fixed through a stable update)
- CVE-2020-35506:
(postponed; to be fixed through a stable update)
- CVE-2021-20196:
(postponed; to be fixed through a stable update)
You can find information about how to handle these issues in the security team's documentation.
1 ignored issue:
- CVE-2019-8934:
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.