An update for qemu is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1227 Final 1.0 1.0 2021-06-22 Initial 2021-06-22 2021-06-22 openEuler SA Tool V1.0 2021-06-22 qemu security update An update for qemu is now available for openEuler-20.03-LTS-SP1. QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. Security Fix(es): A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3546) An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.(CVE-2021-3545) Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.(CVE-2021-3544) An update for qemu is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High qemu https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1227 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3546 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3545 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3544 https://nvd.nist.gov/vuln/detail/CVE-2021-3546 https://nvd.nist.gov/vuln/detail/CVE-2021-3545 https://nvd.nist.gov/vuln/detail/CVE-2021-3544 openEuler-20.03-LTS-SP1 qemu-guest-agent-4.1.0-48.oe1.aarch64.rpm qemu-debuginfo-4.1.0-48.oe1.aarch64.rpm qemu-img-4.1.0-48.oe1.aarch64.rpm qemu-block-ssh-4.1.0-48.oe1.aarch64.rpm qemu-block-rbd-4.1.0-48.oe1.aarch64.rpm qemu-block-iscsi-4.1.0-48.oe1.aarch64.rpm qemu-debugsource-4.1.0-48.oe1.aarch64.rpm qemu-4.1.0-48.oe1.aarch64.rpm qemu-help-4.1.0-48.oe1.noarch.rpm qemu-4.1.0-48.oe1.src.rpm qemu-seabios-4.1.0-48.oe1.x86_64.rpm qemu-debuginfo-4.1.0-48.oe1.x86_64.rpm qemu-block-ssh-4.1.0-48.oe1.x86_64.rpm qemu-4.1.0-48.oe1.x86_64.rpm qemu-guest-agent-4.1.0-48.oe1.x86_64.rpm qemu-img-4.1.0-48.oe1.x86_64.rpm qemu-debugsource-4.1.0-48.oe1.x86_64.rpm qemu-block-rbd-4.1.0-48.oe1.x86_64.rpm qemu-block-iscsi-4.1.0-48.oe1.x86_64.rpm A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 2021-06-22 CVE-2021-3546 openEuler-20.03-LTS-SP1 High 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H qemu security update 2021-06-22 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1227 An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. 2021-06-22 CVE-2021-3545 openEuler-20.03-LTS-SP1 Medium 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N qemu security update 2021-06-22 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1227 Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. 2021-06-22 CVE-2021-3544 openEuler-20.03-LTS-SP1 Medium 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H qemu security update 2021-06-22 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1227