* SECURITY UPDATE: out-of-bounds read in slirp networking
- debian/patches/CVE-2020-10756.patch: drop bogus IPv6 messages in
slirp/src/ip6_input.c.
- CVE-2020-10756
* SECURITY UPDATE: out-of-bounds read and write in sm501
- debian/patches/CVE-2020-12829-pre1.patch: use values from the pitch
register for 2D operations.
- debian/patches/CVE-2020-12829-pre2.patch: implement negated
destination raster operation mode.
- debian/patches/CVE-2020-12829-pre3.patch: log unimplemented raster
operation modes.
- debian/patches/CVE-2020-12829-pre4.patch: fix support for non-zero
frame buffer start address.
- debian/patches/CVE-2020-12829-pre5.patch: set updated region dirty
after 2D operation.
- debian/patches/CVE-2020-12829-pre6.patch: adjust endianness of pixel
value in rectangle fill.
- debian/patches/CVE-2020-12829-pre7.patch: convert printf +
abort to qemu_log_mask.
- debian/patches/CVE-2020-12829-pre8.patch: shorten long
variable names in sm501_2d_operation.
- debian/patches/CVE-2020-12829-pre9.patch: use BIT(x) macro to
shorten constant.
- debian/patches/CVE-2020-12829-pre10.patch: clean up local
variables in sm501_2d_operation.
- debian/patches/CVE-2020-12829.patch: replace hand written
implementation with pixman where possible.
- debian/patches/CVE-2020-12829-2.patch: optimize small overlapping
blits.
- debian/patches/CVE-2020-12829-3.patch: fix bounds checks.
- debian/patches/CVE-2020-12829-4.patch: drop unneded variable.
- debian/patches/CVE-2020-12829-5.patch: do not allow guest to set
invalid format.
- debian/patches/CVE-2020-12829-6.patch: introduce variable for
commonly used value for better readability.
- debian/patches/CVE-2020-12829-7.patch: fix and optimize overlap
check.
- CVE-2020-12829
* SECURITY UPDATE: out-of-bounds read during sdhci_write() operations
- debian/patches/CVE-2020-13253.patch: do not switch to ReceivingData
if address is invalid in hw/sd/sd.c.
- CVE-2020-13253
* SECURITY UPDATE: out-of-bounds access during es1370_write() operation
- debian/patches/CVE-2020-13361.patch: check total frame count against
current frame in hw/audio/es1370.c.
- CVE-2020-13361
* SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head
- debian/patches/CVE-2020-13362-1.patch: use unsigned type for
reply_queue_head and check index in hw/scsi/megasas.c.
- debian/patches/CVE-2020-13362-2.patch: avoid NULL pointer dereference
in hw/scsi/megasas.c.
- debian/patches/CVE-2020-13362-3.patch: use unsigned type for positive
numeric fields in hw/scsi/megasas.c.
- CVE-2020-13362
* SECURITY UPDATE: NULL pointer dereference related to BounceBuffer
- debian/patches/CVE-2020-13659.patch: set map length to zero when
returning NULL in exec.c, include/exec/memory.h.
- CVE-2020-13659
* SECURITY UPDATE: out-of-bounds access via msi-x mmio operation
- debian/patches/CVE-2020-13754-1.patch: revert accepting mismatching
sizes in memory_region_access_valid in memory.c.
- debian/patches/CVE-2020-13754-2.patch: accept byte and word access to
core ACPI registers in hw/acpi/core.c.
- CVE-2020-13754
* SECURITY UPDATE: invalid memory copy operation via rom_copy
- debian/patches/CVE-2020-13765.patch: add extra check to
hw/core/loader.c.
- CVE-2020-13765
* SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller
- debian/patches/CVE-2020-15863.patch: check bounds in hw/net/xgmac.c.
- CVE-2020-15863
* SECURITY UPDATE: reachable assertion failure
- debian/patches/CVE-2020-16092.patch: fix assertion failure in
hw/net/net_tx_pkt.c.
- CVE-2020-16092
-- Marc Deslauriers <email address hidden> Tue, 11 Aug 2020 13:19:33 -0400
This bug was fixed in the package qemu - 1:2.11+ dfsg-1ubuntu7. 31
--------------- dfsg-1ubuntu7. 31) bionic-security; urgency=medium
qemu (1:2.11+
* SECURITY UPDATE: out-of-bounds read in slirp networking patches/ CVE-2020- 10756.patch: drop bogus IPv6 messages in src/ip6_ input.c. patches/ CVE-2020- 12829-pre1. patch: use values from the pitch patches/ CVE-2020- 12829-pre2. patch: implement negated patches/ CVE-2020- 12829-pre3. patch: log unimplemented raster patches/ CVE-2020- 12829-pre4. patch: fix support for non-zero patches/ CVE-2020- 12829-pre5. patch: set updated region dirty patches/ CVE-2020- 12829-pre6. patch: adjust endianness of pixel patches/ CVE-2020- 12829-pre7. patch: convert printf + patches/ CVE-2020- 12829-pre8. patch: shorten long patches/ CVE-2020- 12829-pre9. patch: use BIT(x) macro to patches/ CVE-2020- 12829-pre10. patch: clean up local patches/ CVE-2020- 12829.patch: replace hand written ation with pixman where possible. patches/ CVE-2020- 12829-2. patch: optimize small overlapping patches/ CVE-2020- 12829-3. patch: fix bounds checks. patches/ CVE-2020- 12829-4. patch: drop unneded variable. patches/ CVE-2020- 12829-5. patch: do not allow guest to set patches/ CVE-2020- 12829-6. patch: introduce variable for patches/ CVE-2020- 12829-7. patch: fix and optimize overlap patches/ CVE-2020- 13253.patch: do not switch to ReceivingData patches/ CVE-2020- 13361.patch: check total frame count against patches/ CVE-2020- 13362-1. patch: use unsigned type for queue_head and check index in hw/scsi/megasas.c. patches/ CVE-2020- 13362-2. patch: avoid NULL pointer dereference patches/ CVE-2020- 13362-3. patch: use unsigned type for positive patches/ CVE-2020- 13659.patch: set map length to zero when exec/memory. h. patches/ CVE-2020- 13754-1. patch: revert accepting mismatching region_ access_ valid in memory.c. patches/ CVE-2020- 13754-2. patch: accept byte and word access to patches/ CVE-2020- 13765.patch: add extra check to core/loader. c. patches/ CVE-2020- 15863.patch: check bounds in hw/net/xgmac.c. patches/ CVE-2020- 16092.patch: fix assertion failure in net/net_ tx_pkt. c.
- debian/
slirp/
- CVE-2020-10756
* SECURITY UPDATE: out-of-bounds read and write in sm501
- debian/
register for 2D operations.
- debian/
destination raster operation mode.
- debian/
operation modes.
- debian/
frame buffer start address.
- debian/
after 2D operation.
- debian/
value in rectangle fill.
- debian/
abort to qemu_log_mask.
- debian/
variable names in sm501_2d_operation.
- debian/
shorten constant.
- debian/
variables in sm501_2d_operation.
- debian/
implement
- debian/
blits.
- debian/
- debian/
- debian/
invalid format.
- debian/
commonly used value for better readability.
- debian/
check.
- CVE-2020-12829
* SECURITY UPDATE: out-of-bounds read during sdhci_write() operations
- debian/
if address is invalid in hw/sd/sd.c.
- CVE-2020-13253
* SECURITY UPDATE: out-of-bounds access during es1370_write() operation
- debian/
current frame in hw/audio/es1370.c.
- CVE-2020-13361
* SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head
- debian/
reply_
- debian/
in hw/scsi/megasas.c.
- debian/
numeric fields in hw/scsi/megasas.c.
- CVE-2020-13362
* SECURITY UPDATE: NULL pointer dereference related to BounceBuffer
- debian/
returning NULL in exec.c, include/
- CVE-2020-13659
* SECURITY UPDATE: out-of-bounds access via msi-x mmio operation
- debian/
sizes in memory_
- debian/
core ACPI registers in hw/acpi/core.c.
- CVE-2020-13754
* SECURITY UPDATE: invalid memory copy operation via rom_copy
- debian/
hw/
- CVE-2020-13765
* SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller
- debian/
- CVE-2020-15863
* SECURITY UPDATE: reachable assertion failure
- debian/
hw/
- CVE-2020-16092
-- Marc Deslauriers <email address hidden> Tue, 11 Aug 2020 13:19:33 -0400