Arch Linux Security Advisory ASA-202005-6 ========================================= Severity: High Date : 2020-05-07 CVE-ID : CVE-2019-20382 CVE-2020-1711 CVE-2020-7039 Package : qemu Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1110 Summary ======= The package qemu before version 5.0.0-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 5.0.0-1. # pacman -Syu "qemu>=5.0.0-1" The problems have been fixed upstream in version 5.0.0. Workaround ========== None. Description =========== - CVE-2019-20382 (denial of service) A memory leak has been found in in the way VNC display driver of QEMU <= 4.2.0 handled connection disconnect, when ZRLE, Tight encoding is enabled. It creates two vncState objects, one of which allocates memory for Zlib's data object. This allocated memory is not free'd upon disconnection resulting in the said memory leakage issue. A user able to connect to the VNC server could use this flaw to leak host memory leading to a potential DoS scenario. - CVE-2020-1711 (arbitrary code execution) An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. - CVE-2020-7039 (arbitrary code execution) A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the tcp_emu() routine while emulating IRC and other protocols. An attacker could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process. Impact ====== A remote attacker can crash the QEMU process, and potentially execute arbitrary code on the host. References ========== https://www.openwall.com/lists/oss-security/2020/03/05/1 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 https://www.openwall.com/lists/oss-security/2020/01/23/3 https://www.openwall.com/lists/oss-security/2020/01/16/2 https://security.archlinux.org/CVE-2019-20382 https://security.archlinux.org/CVE-2020-1711 https://security.archlinux.org/CVE-2020-7039