DSA-3471

[oss-security] 20151223 CVE request Qemu: hmp: stack based OOB write in hmp_sendkey routine

79668

[qemu-devel]  20151217 [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

GLSA-201604-01

kvm was updated to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-5279: Heap-based buffer overflow in the     ne2000_receive function in hw/net/ne2000.c in QEMU     allowed guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets (bsc#945987).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-6855: hw/ide/core.c in QEMU did not properly     restrict the commands accepted by an ATAPI device, which     allowed guest users to cause a denial of service or     possibly have unspecified other impact via certain IDE     commands, as demonstrated by a WIN_READ_NATIVE_MAX     command to an empty drive, which triggers a     divide-by-zero error and instance crash (bsc#945404).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

This update was imported from the SUSE:SLE-12-SP1:Update update project.

qemu was updated to fix 37 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI DMA I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI DMA I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 46 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bsc#964746).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bsc#964929).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bsc#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#964644).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#962642).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#962335).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#962758).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#964925).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#965112).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#962611).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#962627).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#964431).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#962632).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#964947).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#965156).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#962360).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958918).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956832).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958493).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959006).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#965269).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960726).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960836).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969125).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969126).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961692).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962321).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963783).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964415).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967101).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967090).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#968004).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to version 4.4.4 to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (boo#965315).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (boo#962360).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (boo#962611).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2015-6815: e1000: infinite loop issue (bsc#944697).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (boo#964925).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (boo#965156).

  - CVE-2016-2271: VMX in using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (boo#965317).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (boo#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (boo#962642).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (boo#962632).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (boo#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (boo#964644).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c allowed     remote attackers to execute arbitrary code via a crafted     (1) precision, (2) nextprecision, (3) function, or (4)     nextfunction value in a savevm image (boo#962758).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (boo#962335).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8613: scsi: stack based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2016-1571: The paging_invlpg function in     include/asm-x86/paging.h, when using shadow mode paging     or nested virtualization is enabled, allowed local HVM     guest users to cause a denial of service (host crash)     via a non-canonical guest address in an INVVPID     instruction, which triggers a hypervisor bug check     (boo#960862).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (boo#960861).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (boo#964431).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: incorrect l2 header validation     leads to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960707).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (boo#962627).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (boo#964929).

xen was updated to fix 47 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201604-01 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    Local users within a guest QEMU environment can execute arbitrary code       within the host or a cause a Denial of Service condition of the QEMU       guest process.
  Workaround :

    There is no known workaround at this time.

xen was updated to fix 26 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8613: SCSI: stack based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

These non-security issues were fixed :

  - bsc#954872: script block-dmmd not working as expected 

  - bsc#957698: DOM0 can't bring up on Dell PC

  - bsc#963923: domain weights not honored when sched-credit     tslice is reduced

  - bsc#959332: SLES12SP1 PV guest is unreachable when     restored or migrated

  - bsc#959695: Missing docs for xen

xen was updated to fix 44 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2015-8619: Fix sendkey out of bounds (bz #1292757) *     CVE-2016-1981: infinite loop in e1000 (bz #1299995) *     Fix Out-of-bounds read in usb-ehci (bz #1300234, bz     #1299455) * CVE-2016-2197: ahci: NULL pointer     dereference (bz #1302952) * Fix gdbstub for VSX     registers for ppc64 (bz #1304377) * Fix qemu-img vmdk     images to work with VMware (bz #1299185)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in qemu, a full virtualization solution on x86 hardware.

  - CVE-2015-7295     Jason Wang of Red Hat Inc. discovered that the Virtual     Network Device support is vulnerable to     denial-of-service, that could occur when receiving large     packets.

  - CVE-2015-7504     Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360     Inc. discovered that the PC-Net II ethernet controller     is vulnerable to a heap-based buffer overflow that could     result in denial-of-service (via application crash) or     arbitrary code execution.

  - CVE-2015-7512     Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat     Inc. discovered that the PC-Net II ethernet controller     is vulnerable to a buffer overflow that could result in     denial-of-service (via application crash) or arbitrary     code execution.

  - CVE-2015-7549     Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360     Inc. discovered that the PCI MSI-X emulator is     vulnerable to a NULL pointer dereference issue, that     could lead to denial-of-service (via application crash).

  - CVE-2015-8345     Qinghao Tang of Qihoo 360 Inc. discovered that the     eepro100 emulator contains a flaw that could lead to an     infinite loop when processing Command Blocks, eventually     resulting in denial-of-service (via application crash).

  - CVE-2015-8504     Lian Yihan of Qihoo 360 Inc. discovered that the VNC     display driver support is vulnerable to an arithmetic     exception flaw that could lead to denial-of-service (via     application crash).

  - CVE-2015-8550     Felix Wilhelm of ERNW Research discovered that the PV     backend drivers are vulnerable to double fetch     vulnerabilities, possibly resulting in arbitrary code     execution.

  - CVE-2015-8558     Qinghao Tang of Qihoo 360 Inc. discovered that the USB     EHCI emulation support contains a flaw that could lead     to an infinite loop during communication between the     host controller and a device driver. This could lead to     denial-of-service (via resource exhaustion).

  - CVE-2015-8567 CVE-2015-8568     Qinghao Tang of Qihoo 360 Inc. discovered that the     vmxnet3 device emulator could be used to intentionally     leak host memory, thus resulting in denial-of-service.

  - CVE-2015-8613     Qinghao Tang of Qihoo 360 Inc. discovered that the SCSI     MegaRAID SAS HBA emulation support is vulnerable to a     stack-based buffer overflow issue, that could lead to     denial-of-service (via application crash).

  - CVE-2015-8619     Ling Liu of Qihoo 360 Inc. discovered that the Human     Monitor Interface support is vulnerable to an     out-of-bound write access issue that could result in     denial-of-service (via application crash).

  - CVE-2015-8743     Ling Liu of Qihoo 360 Inc. discovered that the NE2000     emulator is vulnerable to an out-of-bound read/write     access issue, potentially resulting in information leak     or memory corruption.

  - CVE-2015-8744     The vmxnet3 driver incorrectly processes small packets,     which could result in denial-of-service (via application     crash).

  - CVE-2015-8745     The vmxnet3 driver incorrectly processes Interrupt Mask     Registers, which could result in denial-of-service (via     application crash).

  - CVE-2016-1568     Qinghao Tang of Qihoo 360 Inc. discovered that the IDE     AHCI emulation support is vulnerable to a use-after-free     issue, that could lead to denial-of-service (via     application crash) or arbitrary code execution.

  - CVE-2016-1714     Donghai Zhu of Alibaba discovered that the Firmware     Configuration emulation support is vulnerable to an     out-of-bound read/write access issue, that could lead to     denial-of-service (via application crash) or arbitrary     code execution.

  - CVE-2016-1922     Ling Liu of Qihoo 360 Inc. discovered that 32-bit     Windows guests support is vulnerable to a NULL pointer     dereference issue, that could lead to denial-of-service     (via application crash).

  - CVE-2016-1981     The e1000 driver is vulnerable to an infinite loop issue     that could lead to denial-of-service (via application     crash).

Qinghao Tang discovered that QEMU incorrectly handled PCI MSI-X support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-7549)

Lian Yihan discovered that QEMU incorrectly handled the VNC server. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2015-8504)

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550)

Qinghao Tang discovered that QEMU incorrectly handled USB EHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2015-8558)

Qinghao Tang discovered that QEMU incorrectly handled the vmxnet3 device. An attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-8567, CVE-2015-8568)

Qinghao Tang discovered that QEMU incorrectly handled SCSI MegaRAID SAS HBA emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-8613)

Ling Liu discovered that QEMU incorrectly handled the Human Monitor Interface. A local attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-8619, CVE-2016-1922)

David Alan Gilbert discovered that QEMU incorrectly handled the Q35 chipset emulation when performing VM guest migrations. An attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10.
(CVE-2015-8666)

Ling Liu discovered that QEMU incorrectly handled the NE2000 device.
An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2015-8743)

It was discovered that QEMU incorrectly handled the vmxnet3 device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-8744, CVE-2015-8745)

Qinghao Tang discovered that QEMU incorrect handled IDE AHCI emulation. An attacker inside the guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-1568)

Donghai Zhu discovered that QEMU incorrect handled the firmware configuration device. An attacker inside the guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-1714)

It was discovered that QEMU incorrectly handled the e1000 device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-1981)

Zuozhi Fzz discovered that QEMU incorrectly handled IDE AHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 15.10. (CVE-2016-2197)

Zuozhi Fzz discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-2198).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Prasad J Pandit, Red Hat Product Security Team, reports :

Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size.

A user/process could use this flaw to crash the Qemu process instance resulting in DoS.

ID	Name	Product	Family	Severity
93180	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1785-1)	Nessus	SuSE Local Security Checks	high
93170	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1703-1)	Nessus	SuSE Local Security Checks	high
93169	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1698-1)	Nessus	SuSE Local Security Checks	high
91980	openSUSE Security Update : qemu (openSUSE-2016-839)	Nessus	SuSE Local Security Checks	high
91660	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1560-1)	Nessus	SuSE Local Security Checks	high
91249	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)	Nessus	SuSE Local Security Checks	high
90478	openSUSE Security Update : xen (openSUSE-2016-439)	Nessus	SuSE Local Security Checks	critical
90396	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)	Nessus	SuSE Local Security Checks	high
90339	GLSA-201604-01 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
90260	openSUSE Security Update : xen (openSUSE-2016-413)	Nessus	SuSE Local Security Checks	critical
90186	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:0873-1)	Nessus	SuSE Local Security Checks	high
89605	Fedora 22 : qemu-2.3.1-12.fc22 (2016-be042f7e6f)	Nessus	Fedora Local Security Checks	medium
89599	Fedora 23 : qemu-2.4.1-7.fc23 (2016-b49aaf2c56)	Nessus	Fedora Local Security Checks	medium
88630	Debian DSA-3471-1 : qemu - security update	Nessus	Debian Local Security Checks	high
88576	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : qemu, qemu-kvm vulnerabilities (USN-2891-1)	Nessus	Ubuntu Local Security Checks	high
87695	FreeBSD : qemu -- denial of service vulnerability in Human Monitor Interface support (62ab8707-b1bc-11e5-9728-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2015-8619

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins