An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice 'setup_len' exceeds the 'data_buf[4096]' in do_token_in, do_token_out routines. A guest user may use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with the privileges of the QEMU process on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2020-08/msg05969.html
Acknowledgments: Name: Xiao Wei (360.com), Ziming Zhang
External References: https://www.openwall.com/lists/oss-security/2020/08/24/3 https://www.openwall.com/lists/oss-security/2020/08/24/2
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1871849] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1871850]
Mitigation: Using Libvirt management interface to manage guest VMs significantly reduces impact of this issue. Libvirt starts each guest process with an unprivileged system user(ex. qemu) privileges and further confines the process with strict sVirt and SELinux policies. * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/
Statement: This issue affects the version of the qemu-kvm package as shipped with the Red Hat Enterprise Linux 6, 7 and 8. Future qemu-kvm package updates for Red Hat Enterprise Linux 6, 7 and 8 may address this issue. Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in its future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat OpenStack Platform 15 and newer consume fixes directly from the Red Hat Enterprise Linux 8 Advanced Virtualization repository.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:4058 https://access.redhat.com/errata/RHSA-2020:4058
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2020:4054 https://access.redhat.com/errata/RHSA-2020:4054
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2020:4055 https://access.redhat.com/errata/RHSA-2020:4055
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:4048 https://access.redhat.com/errata/RHSA-2020:4048
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4049 https://access.redhat.com/errata/RHSA-2020:4049
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14364
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2020:4050 https://access.redhat.com/errata/RHSA-2020:4050
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:4051 https://access.redhat.com/errata/RHSA-2020:4051
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:4047 https://access.redhat.com/errata/RHSA-2020:4047
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:4052 https://access.redhat.com/errata/RHSA-2020:4052
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:4053 https://access.redhat.com/errata/RHSA-2020:4053
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4078 https://access.redhat.com/errata/RHSA-2020:4078
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4079 https://access.redhat.com/errata/RHSA-2020:4079
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Red Hat Virtualization Engine 4.3 Via RHSA-2020:4111 https://access.redhat.com/errata/RHSA-2020:4111
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:4162 https://access.redhat.com/errata/RHSA-2020:4162
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:4167 https://access.redhat.com/errata/RHSA-2020:4167
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2020:4176 https://access.redhat.com/errata/RHSA-2020:4176
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:4056 https://access.redhat.com/errata/RHSA-2020:4056
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2020:4291 https://access.redhat.com/errata/RHSA-2020:4291
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.1.1 Via RHSA-2020:4290 https://access.redhat.com/errata/RHSA-2020:4290
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days