ALAS-2020-1408


Amazon Linux AMI Security Advisory: ALAS-2020-1408
Advisory Release Date: 2020-07-29 21:37 Pacific
Severity: Important

Issue Overview:

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. (CVE-2019-9824 )

tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. (CVE-2020-7039 )

In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. (CVE-2020-8608 )


Affected Packages:

qemu-kvm


Issue Correction:
Run yum update qemu-kvm to update your system.

New Packages:
src:
    qemu-kvm-1.5.3-156.19.amzn1.src

x86_64:
    qemu-kvm-debuginfo-1.5.3-156.19.amzn1.x86_64
    qemu-kvm-1.5.3-156.19.amzn1.x86_64
    qemu-kvm-tools-1.5.3-156.19.amzn1.x86_64
    qemu-kvm-common-1.5.3-156.19.amzn1.x86_64
    qemu-img-1.5.3-156.19.amzn1.x86_64