Source: qemu Version: 1:5.2+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:5.1+dfsg-4
Hi, The following vulnerability was published for qemu. CVE-2020-27821[0]: | A flaw was found in the memory management API of QEMU during the | initialization of a memory region cache. This issue could lead to an | out-of-bounds write access to the MSI-X table while performing MMIO | operations. A guest user may abuse this flaw to crash the QEMU process | on the host, resulting in a denial of service. This flaw affects QEMU | versions prior to 5.2.0. There are several issues here. First the above MITRE description claims this affects version prior to 5.2.0 but 5.2 seems equally affected still. commit in [1] tracked this as fixed relating to upstream commit [2]. But it looks that further analysis did track down the issue leading to [3] and the fixing commit beeing [4]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-27821 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27821 [1] https://tracker.debian.org/news/1200013/accepted-qemu-152dfsg-1-source-into-unstable/ [2] https://git.qemu.org/?p=qemu.git;a=commit;h=1370d61ae3c9934861d2349349447605202f04e9 [3] https://www.openwall.com/lists/oss-security/2020/12/16/6 [4] https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
