Bug 1175370 - (CVE-2020-24352) VUL-1: CVE-2020-24352: kvm,qemu: out-of-bounds read/write in ati-vga device emulation in ati_2d_blt()
(CVE-2020-24352)
VUL-1: CVE-2020-24352: kvm,qemu: out-of-bounds read/write in ati-vga device e...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/265293/
CVSSv3.1:SUSE:CVE-2020-24352:2.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-17 15:12 UTC by Robert Frohl
Modified: 2020-12-17 22:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-08-17 15:12:55 UTC
rh#1847584

An out-of-bounds read/write flaw was found in the ATI VGA device implementation of the QEMU emulator. It occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1847584
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24352
https://access.redhat.com/security/cve/CVE-2020-24352
Comment 1 Robert Frohl 2020-08-17 15:15:30 UTC
information is a bit sparse for this one.
Comment 2 Bruce Rogers 2020-08-25 20:38:34 UTC
It seems that the fix for this issue is commit ac2071c3791b67fc7af78b8ceb320c01ca1b5df7, which is included in v5.0.0.

The feature was first included in v4.0.0 qemu, so only SLE15-SP2 (v4.2.0) qemu is affected.
Comment 3 Bruce Rogers 2020-09-16 23:51:35 UTC
This was fully fixed with the v4.2.1 update for qemu, which has already been released to customers. I'm adding a note to that effect in SLE-15-SP2 qemu changelog about to be submitted for next maintenance update.
Comment 6 Swamp Workflow Management 2020-10-07 16:17:09 UTC
SUSE-SU-2020:2877-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1174386,1174641,1174863,1175370,1175441,1176494
CVE References: CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-4.2.1-11.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    qemu-4.2.1-11.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-10-13 04:14:46 UTC
openSUSE-SU-2020:1664-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1174386,1174641,1174863,1175370,1175441,1176494
CVE References: CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    qemu-4.2.1-lp152.9.6.1, qemu-linux-user-4.2.1-lp152.9.6.1, qemu-testsuite-4.2.1-lp152.9.6.1
Comment 8 Alexandros Toptsoglou 2020-11-03 15:34:27 UTC
Done
Comment 9 OBSbugzilla Bot 2020-12-08 23:50:25 UTC
This is an autogenerated message for OBS integration:
This bug (1175370) was mentioned in
https://build.opensuse.org/request/show/854157 Factory / qemu