Vulnerability Description
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Qemu | Qemu | 1\ |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Opensuse | Leap | 15.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.htmlThird Party Advisory
- https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de594e47659029316bbf9391efb79da0
- https://lists.debian.org/debian-lts-announce/2019/09/msg00021.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html
- https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.htmlMailing ListPatchThird Party Advisory
- https://security-tracker.debian.org/tracker/CVE-2019-12068Third Party Advisory
- https://usn.ubuntu.com/4191-1/Third Party Advisory
- https://usn.ubuntu.com/4191-2/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4665
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.htmlThird Party Advisory
- https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de594e47659029316bbf9391efb79da0
- https://lists.debian.org/debian-lts-announce/2019/09/msg00021.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html
FAQ
What is CVE-2019-12068?
CVE-2019-12068 is a vulnerability with a CVSS score of 3.8 (LOW). In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi a...
How severe is CVE-2019-12068?
CVE-2019-12068 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12068?
Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Debian Debian Linux, Canonical Ubuntu Linux, Opensuse Leap.