CVE-2019-20175

NameCVE-2019-20175
Description** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)buster1:3.1+dfsg-8+deb10u8vulnerable
buster (security)1:3.1+dfsg-8+deb10u9vulnerable
bullseye (security), bullseye1:5.2+dfsg-11+deb11u2vulnerable
bookworm, sid1:7.1+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)(unfixed)unimportant

Notes

https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html
https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html
https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html
https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg02165.html
Marked unimportant, as negligible security impact (a privileged guest
can trigger similar issues without triggering the specific assert) and
is disputed by QEMU security team.
Search for package or bug name: Reporting problems