#968820 qemu: CVE-2020-24352: OOB read/write in ati-vga device emulation in ati_2d_blt()

Package:
qemu
Source:
qemu
Submitter:
Moritz Muehlenhoff
Date:
2025-08-11 10:13:02 UTC
Severity:
important
Tags:
#968820#5
Date:
2020-08-21 18:13:07 UTC
From:
To:
Details are a little murky on this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1847584

Cheers,
        Moritz
#968820#12
Date:
2020-08-24 11:44:01 UTC
From:
To:
As one of the QEMU developers put it,

---
 However this is hardly security critical as ati-vga is
 experimental and not fully implemented yet so anyone
 using it will likely get other problems (such as drivers
 not loading) before a guest could exploit this.
 I think QEMU only considers bugs in parts that are used
 for virtualisation via KVM as security problems so maybe
 this does not even need a CVE and could be normally
 reported/discussed on the mailing list.
---

See https://lists.gnu.org/archive/html/qemu-devel/2020-08/msg05528.html

/mjt
#968820#17
Date:
2020-08-24 13:51:19 UTC
From:
To:
Fair enough, I'll mark it as a non issue in the Debian Security tracker.

Cheers,
        Moritz
#968820#24
Date:
2025-08-11 10:11:41 UTC
From:
To:
Version: 1:5.2+dfsg-1
This appears to be fixed by the upstream commit v5.2.0-rc0-2-gca1f9cbfdc
https://gitlab.com/qemu-project/qemu/-/commit/ca1f9cbfdc which is part
of 5.2.0 version.  Which means qemu in bullseye and up is fixed.

Thanks,

/mjt