Bug 1175370 (CVE-2020-24352)

Summary: VUL-1: CVE-2020-24352: kvm,qemu: out-of-bounds read/write in ati-vga device emulation in ati_2d_blt()
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: atoptsoglou, brogers, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/265293/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-24352:2.8:(AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-08-17 15:12:55 UTC
rh#1847584

An out-of-bounds read/write flaw was found in the ATI VGA device implementation of the QEMU emulator. It occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1847584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24352
https://access.redhat.com/security/cve/CVE-2020-24352
Comment 1 Robert Frohl 2020-08-17 15:15:30 UTC
information is a bit sparse for this one.
Comment 2 Bruce Rogers 2020-08-25 20:38:34 UTC
It seems that the fix for this issue is commit ac2071c3791b67fc7af78b8ceb320c01ca1b5df7, which is included in v5.0.0.

The feature was first included in v4.0.0 qemu, so only SLE15-SP2 (v4.2.0) qemu is affected.
Comment 3 Bruce Rogers 2020-09-16 23:51:35 UTC
This was fully fixed with the v4.2.1 update for qemu, which has already been released to customers. I'm adding a note to that effect in SLE-15-SP2 qemu changelog about to be submitted for next maintenance update.
Comment 6 Swamp Workflow Management 2020-10-07 16:17:09 UTC
SUSE-SU-2020:2877-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1174386,1174641,1174863,1175370,1175441,1176494
CVE References: CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-4.2.1-11.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    qemu-4.2.1-11.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-10-13 04:14:46 UTC
openSUSE-SU-2020:1664-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1174386,1174641,1174863,1175370,1175441,1176494
CVE References: CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    qemu-4.2.1-lp152.9.6.1, qemu-linux-user-4.2.1-lp152.9.6.1, qemu-testsuite-4.2.1-lp152.9.6.1
Comment 8 Alexandros Toptsoglou 2020-11-03 15:34:27 UTC
Done
Comment 9 OBSbugzilla Bot 2020-12-08 23:50:25 UTC
This is an autogenerated message for OBS integration:
This bug (1175370) was mentioned in
https://build.opensuse.org/request/show/854157 Factory / qemu