* SECURITY UPDATE: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
- debian/patches/ubuntu/CVE-2020-17380.patch: fix DMA Transfer Block
Size field in hw/sd/sdhci.c.
- CVE-2020-17380
- CVE-2020-25085
* SECURITY UPDATE: use-after-free via unchecked return value
- debian/patches/ubuntu/CVE-2020-25084.patch: check return value of
'usb_packet_map' in hw/usb/hcd-xhci.c.
- CVE-2020-25084
* SECURITY UPDATE: out-of-bound access issue
- debian/patches/ubuntu/CVE-2020-25624.patch: check len and
frame_number variables in hw/usb/hcd-ohci.c.
- CVE-2020-25624
* SECURITY UPDATE: infinite loop when a TD list has a loop
- debian/patches/ubuntu/CVE-2020-25625.patch: check for processed TD
before retire in hw/usb/hcd-ohci.c.
- CVE-2020-25625
* SECURITY UPDATE: assertion failure through usb_packet_unmap()
- debian/patches/ubuntu/CVE-2020-25723.patch: check return value of
'usb_packet_map' in hw/usb/hcd-ehci.c.
- CVE-2020-25723
* SECURITY UPDATE: bounds issue in ati_2d_blt
- debian/patches/ubuntu/CVE-2020-27616.patch: check x y display
parameter values in hw/display/ati_2d.c.
- CVE-2020-27616
* SECURITY UPDATE: assertion failure
- debian/patches/ubuntu/CVE-2020-27617.patch: remove an assert call in
eth_get_gso_type in net/eth.c.
- CVE-2020-27617
* Assertion failure via zero mmap_min_addr (LP: #1897854)
- debian/patches/ubuntu/lp1897854-Ensure-mmap_min_addr-is-non-zero.patch:
ensure mmap_min_addr is non-zero in linux-user/main.c.
-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2020 08:02:13 -0500
This bug was fixed in the package qemu - 1:5.0-5ubuntu9.2
---------------
qemu (1:5.0-5ubuntu9.2) groovy-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow in sdhci_sdma_ transfer_ multi_blocks( ) patches/ ubuntu/ CVE-2020- 17380.patch: fix DMA Transfer Block patches/ ubuntu/ CVE-2020- 25084.patch: check return value of usb_packet_ map' in hw/usb/hcd-xhci.c. patches/ ubuntu/ CVE-2020- 25624.patch: check len and patches/ ubuntu/ CVE-2020- 25625.patch: check for processed TD patches/ ubuntu/ CVE-2020- 25723.patch: check return value of usb_packet_ map' in hw/usb/hcd-ehci.c. patches/ ubuntu/ CVE-2020- 27616.patch: check x y display ati_2d. c. patches/ ubuntu/ CVE-2020- 27617.patch: remove an assert call in get_gso_ type in net/eth.c. patches/ ubuntu/ lp1897854- Ensure- mmap_min_ addr-is- non-zero. patch:
- debian/
Size field in hw/sd/sdhci.c.
- CVE-2020-17380
- CVE-2020-25085
* SECURITY UPDATE: use-after-free via unchecked return value
- debian/
'
- CVE-2020-25084
* SECURITY UPDATE: out-of-bound access issue
- debian/
frame_number variables in hw/usb/hcd-ohci.c.
- CVE-2020-25624
* SECURITY UPDATE: infinite loop when a TD list has a loop
- debian/
before retire in hw/usb/hcd-ohci.c.
- CVE-2020-25625
* SECURITY UPDATE: assertion failure through usb_packet_unmap()
- debian/
'
- CVE-2020-25723
* SECURITY UPDATE: bounds issue in ati_2d_blt
- debian/
parameter values in hw/display/
- CVE-2020-27616
* SECURITY UPDATE: assertion failure
- debian/
eth_
- CVE-2020-27617
* Assertion failure via zero mmap_min_addr (LP: #1897854)
- debian/
ensure mmap_min_addr is non-zero in linux-user/main.c.
-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2020 08:02:13 -0500