http://git.qemu.org/?p=qemu.git;a=commit;h=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e

[qemu-stable] 20160329 [Qemu-stable] [ANNOUNCE] QEMU 2.5.1 Stable released

[oss-security] 20160222 CVE request Qemu: usb: integer overflow in remote NDIS control message handling

83336

USN-2974-1

https://bugzilla.redhat.com/show_bug.cgi?id=1303120

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

[qemu-devel] 20160216 [Qemu-devel] [PATCH 2/2] usb: check RNDIS buffer offsets & length

GLSA-201604-01

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

kvm was updated to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-5279: Heap-based buffer overflow in the     ne2000_receive function in hw/net/ne2000.c in QEMU     allowed guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets (bsc#945987).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-6855: hw/ide/core.c in QEMU did not properly     restrict the commands accepted by an ATAPI device, which     allowed guest users to cause a denial of service or     possibly have unspecified other impact via certain IDE     commands, as demonstrated by a WIN_READ_NATIVE_MAX     command to an empty drive, which triggers a     divide-by-zero error and instance crash (bsc#945404).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 36 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

This update was imported from the SUSE:SLE-12-SP1:Update update project.

qemu was updated to fix 37 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI DMA I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI DMA I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 46 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bsc#964746).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bsc#964929).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bsc#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#964644).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#962642).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#962335).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#962758).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#964925).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#965112).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#962611).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#962627).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#964431).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#962632).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#964947).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#965156).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#962360).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958918).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956832).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958493).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959006).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#965269).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960726).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960836).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969125).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969126).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961692).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962321).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963783).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964415).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967101).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967090).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#968004).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2391)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2392)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak host memory bytes. (CVE-2016-2538)

Hongke Yang discovered that QEMU incorrectly handled NE2000 emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2841)

Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak host memory bytes. (CVE-2016-2857)

It was discovered that QEMU incorrectly handled the PRNG back-end support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.
(CVE-2016-2858)

Wei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access in the VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-3710)

Zuozhi Fzz discovered that QEMU incorrectly handled access in the VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-3712)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary Micro Stellaris ethernet controller emulation. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-4001)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet controller emulation. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-4002)

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority Register(TPR). A privileged attacker inside the guest could use this issue to possibly leak host memory bytes. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4020)

Du Shaobo discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-4037).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to version 4.4.4 to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (boo#965315).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (boo#962360).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (boo#962611).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2015-6815: e1000: infinite loop issue (bsc#944697).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (boo#964925).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (boo#965156).

  - CVE-2016-2271: VMX in using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (boo#965317).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (boo#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (boo#962642).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (boo#962632).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (boo#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (boo#964644).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c allowed     remote attackers to execute arbitrary code via a crafted     (1) precision, (2) nextprecision, (3) function, or (4)     nextfunction value in a savevm image (boo#962758).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (boo#962335).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8613: scsi: stack based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2016-1571: The paging_invlpg function in     include/asm-x86/paging.h, when using shadow mode paging     or nested virtualization is enabled, allowed local HVM     guest users to cause a denial of service (host crash)     via a non-canonical guest address in an INVVPID     instruction, which triggers a hypervisor bug check     (boo#960862).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (boo#960861).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (boo#964431).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: incorrect l2 header validation     leads to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960707).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (boo#962627).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (boo#964929).

- CVE-2016-2538: Integer overflow in usb module (bz     #1305815) * CVE-2016-2841: ne2000: infinite loop (bz     #1304047) * CVE-2016-2857: net: out of bounds read (bz     #1309564) * CVE-2016-2392: usb: NULL pointer dereference     (bz #1307115) * spice: fix spice_chr_add_watch() crash     (bz #1315049)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 47 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201604-01 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    Local users within a guest QEMU environment can execute arbitrary code       within the host or a cause a Denial of Service condition of the QEMU       guest process.
  Workaround :

    There is no known workaround at this time.

xen was updated to fix 26 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8613: SCSI: stack based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

These non-security issues were fixed :

  - bsc#954872: script block-dmmd not working as expected 

  - bsc#957698: DOM0 can't bring up on Dell PC

  - bsc#963923: domain weights not honored when sched-credit     tslice is reduced

  - bsc#959332: SLES12SP1 PV guest is unreachable when     restored or migrated

  - bsc#959695: Missing docs for xen

- CVE-2016-2538: Integer overflow in usb module (bz     #1305815) * CVE-2016-2841: ne2000: infinite loop (bz     #1304047) * CVE-2016-2857: net: out of bounds read (bz     #1309564) * CVE-2016-2392: usb: NULL pointer dereference     (bz #1307115) * Fix external snapshot any more after     active committing (bz #1300209)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 44 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-2538: Integer overflow in usb module (bz     #1305815) * CVE-2016-2841: ne2000: infinite loop (bz     #1304047) * CVE-2016-2857: net: out of bounds read (bz     #1309564) * CVE-2016-2392: usb: NULL pointer dereference     (bz #1307115)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080) Qemu: i386: NULL pointer dereference in vapic_write() CVE-2016-1922 (#1292767) qemu: Stack-based buffer overflow in megasas_ctrl_get_info CVE-2015-8613 (#1293305) qemu-kvm:
Infinite loop and out-of-bounds transfer start in start_xmit() and e1000_receive_iov() CVE-2016-1981 (#1299996) Qemu: usb ehci out-of-bounds read in ehci_process_itd (#1300235) Qemu: usb: ehci NULL pointer dereference in ehci_caps_write CVE-2016-2198 (#1303135) Qemu:
net: ne2000: infinite loop in ne2000_receive CVE-2016-2841 (#1304048) Qemu: usb: integer overflow in remote NDIS control message handling CVE-2016-2538 (#1305816) Qemu: usb: NULL pointer dereference in remote NDIS control message handling CVE-2016-2392 (#1307116) Qemu: usb:
multiple eof_timers in ohci module leads to NULL pointer dereference CVE-2016-2391 (#1308882) Qemu: net: out of bounds read in net_checksum_calculate() CVE-2016-2857 (#1309565) Qemu: OOB access in address_space_rw leads to segmentation fault CVE-2015-8817 CVE-2015-8818 (#1313273) Qemu: rng-random: arbitrary stack based allocation leading to corruption CVE-2016-2858 (#1314678)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
93180	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1785-1)	Nessus	SuSE Local Security Checks	critical
93177	SUSE SLES11 Security Update : xen (SUSE-SU-2016:1745-1)	Nessus	SuSE Local Security Checks	critical
93170	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1703-1)	Nessus	SuSE Local Security Checks	high
93169	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1698-1)	Nessus	SuSE Local Security Checks	critical
91980	openSUSE Security Update : qemu (openSUSE-2016-839)	Nessus	SuSE Local Security Checks	high
91660	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1560-1)	Nessus	SuSE Local Security Checks	high
91249	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)	Nessus	SuSE Local Security Checks	critical
91122	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2974-1)	Nessus	Ubuntu Local Security Checks	high
90478	openSUSE Security Update : xen (openSUSE-2016-439)	Nessus	SuSE Local Security Checks	critical
90468	Fedora 22 : qemu-2.3.1-13.fc22 (2016-bfaf6a133b)	Nessus	Fedora Local Security Checks	low
90396	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)	Nessus	SuSE Local Security Checks	critical
90339	GLSA-201604-01 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
90260	openSUSE Security Update : xen (openSUSE-2016-413)	Nessus	SuSE Local Security Checks	critical
90210	Fedora 24 : qemu-2.5.0-10.fc24 (2016-1b264ab4a4)	Nessus	Fedora Local Security Checks	low
90186	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:0873-1)	Nessus	SuSE Local Security Checks	critical
90130	Fedora 23 : qemu-2.4.1-8.fc23 (2016-372bb57df0)	Nessus	Fedora Local Security Checks	low
90045	Fedora 23 : xen-4.5.2-9.fc23 (2016-f4504e9445)	Nessus	Fedora Local Security Checks	medium
90036	Fedora 22 : xen-4.5.2-9.fc22 (2016-38b20aa50f)	Nessus	Fedora Local Security Checks	medium

CVE-2016-2538

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins