http://git.qemu.org/?p=qemu.git;a=commit;h=b242e0e0e2969c044a318e56f7988bbd84de1f63

RHSA-2016:2670

RHSA-2016:2671

RHSA-2016:2704

RHSA-2016:2705

RHSA-2016:2706

[oss-security] 20160301 CVE request Qemu: OOB access in address_space_rw leads to segmentation fault

[oss-security] 20160301 Re: CVE request Qemu: OOB access in address_space_rw leads to segmentation fault

https://bugzilla.redhat.com/show_bug.cgi?id=1300771

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

This update was imported from the SUSE:SLE-12-SP1:Update update project.

qemu was updated to fix 37 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI DMA I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI DMA I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 46 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bsc#964746).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bsc#964929).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bsc#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#964644).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#962642).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#962335).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#962758).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#964925).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#965112).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#962611).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#962627).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#964431).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#962632).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#964947).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#965156).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#962360).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958918).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956832).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958493).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959006).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#965269).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960726).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960836).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969125).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969126).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961692).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962321).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963783).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964415).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967101).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967090).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#968004).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 47 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 44 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080) Qemu: i386: NULL pointer dereference in vapic_write() CVE-2016-1922 (#1292767) qemu: Stack-based buffer overflow in megasas_ctrl_get_info CVE-2015-8613 (#1293305) qemu-kvm:
Infinite loop and out-of-bounds transfer start in start_xmit() and e1000_receive_iov() CVE-2016-1981 (#1299996) Qemu: usb ehci out-of-bounds read in ehci_process_itd (#1300235) Qemu: usb: ehci NULL pointer dereference in ehci_caps_write CVE-2016-2198 (#1303135) Qemu:
net: ne2000: infinite loop in ne2000_receive CVE-2016-2841 (#1304048) Qemu: usb: integer overflow in remote NDIS control message handling CVE-2016-2538 (#1305816) Qemu: usb: NULL pointer dereference in remote NDIS control message handling CVE-2016-2392 (#1307116) Qemu: usb:
multiple eof_timers in ohci module leads to NULL pointer dereference CVE-2016-2391 (#1308882) Qemu: net: out of bounds read in net_checksum_calculate() CVE-2016-2857 (#1309565) Qemu: OOB access in address_space_rw leads to segmentation fault CVE-2015-8817 CVE-2015-8818 (#1313273) Qemu: rng-random: arbitrary stack based allocation leading to corruption CVE-2016-2858 (#1314678)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
93170	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1703-1)	Nessus	SuSE Local Security Checks	high
91980	openSUSE Security Update : qemu (openSUSE-2016-839)	Nessus	SuSE Local Security Checks	high
91660	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1560-1)	Nessus	SuSE Local Security Checks	high
91249	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)	Nessus	SuSE Local Security Checks	critical
90396	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)	Nessus	SuSE Local Security Checks	critical
90186	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:0873-1)	Nessus	SuSE Local Security Checks	critical
90045	Fedora 23 : xen-4.5.2-9.fc23 (2016-f4504e9445)	Nessus	Fedora Local Security Checks	medium
90036	Fedora 22 : xen-4.5.2-9.fc22 (2016-38b20aa50f)	Nessus	Fedora Local Security Checks	medium

CVE-2015-8818

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins