SB2024111101 - Ubuntu update for qemu

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Memory leak (CVE-ID: CVE-2019-20382)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the zrle_compress_data() function in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. A remote attacker can perform a denial of service attack.

2) Out-of-bounds write (CVE-ID: CVE-2020-13765)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in rom_copy() in hw/core/loader.c. A local user on the guest operating system can create a specially data to the application, trigger out-of-bounds write and execute arbitrary code on the host system.

3) Use-after-free (CVE-ID: CVE-2020-1983)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error when processing packets within the ip_reass() function in ip_input.c in libslirp. A remote attacker can send a specially crafted packet to the application, trigger a use-after-free error and crash it.

4) Heap-based buffer overflow (CVE-ID: CVE-2020-7039)

The vulnerability allows an attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the tcp_emu() function in tcp_subr.c in libslirp. An attacker can issue specially crafted IRC DCC commands in EMU_IRC, trigger heap-based buffer overflow and execute arbitrary code on the target system.

5) Buffer overflow (CVE-ID: CVE-2020-8608)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within tcp_subr.c file in libslirp. A local user can pass specially crafted data to the application that is using the affected version of library, trigger memory corruption and execute arbitrary code on the system.

6) Release of invalid pointer or reference (CVE-ID: CVE-2021-3592)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the bootp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host.

7) Release of invalid pointer or reference (CVE-ID: CVE-2021-3594)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the udp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

8) Use-after-free (CVE-ID: CVE-2023-3019)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the e1000e_write_packet_to_guest() function in the e1000e NIC emulation code in QEMU. A local user can trigger DMA reentrancy and crash the QEMU process on the host.

9) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2024-4693)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to an improper release and use of the irqfd for vector 0 during the boot process in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). A malicious guest can crash the QUEMU host process via vhost_net_stop().

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7094-1