Date: Tue, 9 Mar 2021 09:56:16 +0100 From: Mauro Matteo Cascella <mcascell@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-3409 QEMU: sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085 Hello, QEMU upstream commit  was supposed to fix CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation code. In fact, commit  turned out to be incomplete, in that it was still possible to reproduce the same issue(s) with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks(). A new series has been proposed (not merged yet) to address those issues, and CVE-2021-3409 was assigned to facilitate tracking/backporting of the new patch. Old patch:  https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3 New patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html CVE-2021-3409 assigned by Red Hat, Inc. Best regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.