http://git.qemu.org/?p=qemu.git;a=commit;h=fdda170e50b8af062cf5741e12c4fb5e57a2eacf

[oss-security] 20160812 CVE Request Qemu: Information leak in vmxnet3_complete_packet

[oss-security] 20160817 Re: CVE Request Qemu: Information leak in vmxnet3_complete_packet

92444

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

[qemu-devel] 20160811 [PATCH] net: vmxnet: initialise local tx descriptor

GLSA-201609-01

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8910: rtl8139: infinite loop while transmit in     C+ mode (bz #1388047)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 21 security issues. These security issues were fixed :

  - CVE-2014-5388: Off-by-one error in the pci_read function     in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in     QEMU allowed local guest users to obtain sensitive     information and have other unspecified impact related to     a crafted PCI device that triggers memory corruption     (bsc#893323).

  - CVE-2015-6815: e1000 NIC emulation support was     vulnerable to an infinite loop issue. A privileged user     inside guest could have used this flaw to crash the Qemu     instance resulting in DoS. (bsc#944697).

  - CVE-2016-2391: The ohci_bus_start function in the USB     OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU     allowed local guest OS administrators to cause a denial     of service (NULL pointer dereference and QEMU process     crash) via vectors related to multiple eof_timers     (bsc#967013).

  - CVE-2016-2392: The is_rndis function in the USB Net     device emulator (hw/usb/dev-network.c) in QEMU did not     properly validate USB configuration descriptor objects,     which allowed local guest OS administrators to cause a     denial of service (NULL pointer dereference and QEMU     process crash) via vectors involving a remote NDIS     control message packet (bsc#967012).

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982223).

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982222).

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command     (bsc#982017).

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982018).

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982019).

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982285).

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode     (bsc#982959).

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983961).

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983982).

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (bsc#991080).

  - CVE-2016-6490: Infinite loop in the virtio framework. A     privileged user inside the guest could have used this     flaw to crash the Qemu instance on the host resulting in     DoS (bsc#991466).

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (bsc#994774).

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (bsc#994760).

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994771).

  - CVE-2016-7116: Host directory sharing via Plan 9 File     System(9pfs) was vulnerable to a directory/path     traversal issue. A privileged user inside guest could     have used this flaw to access undue files on the host     (bsc#996441).

  - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus     a OOB access and/or infinite loop issue could have     allowed a privileged user inside guest to crash the Qemu     process resulting in DoS (bsc#997858).

  - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus     a infinite loop issue could have allowed a privileged     user inside guest to crash the Qemu process resulting in     DoS (bsc#997859).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-5403)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6833, CVE-2016-6834, CVE-2016-6888)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6835)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6836)

Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host files.
(CVE-2016-7116)

Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7155)

Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7156, CVE-2016-7421)

Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7157)

Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-7161)

Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the VMware VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7170)

Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7422)

Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7423)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7466)

Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet Controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7908)

Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7909)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7994)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7995)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8576)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8577, CVE-2016-8578)

It was discovered that QEMU incorrectly handled Rocker switch emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8668)

It was discovered that QEMU incorrectly handled Intel HDA controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8909)

Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8910)

Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9101)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9102, CVE-2016-9104, CVE-2016-9105)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. (CVE-2016-9103)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9106).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 19 security issues.

These security issues were fixed :

  - CVE-2016-2392: The is_rndis function in the USB Net     device emulator (hw/usb/dev-network.c) in QEMU did not     properly validate USB configuration descriptor objects,     which allowed local guest OS administrators to cause a     denial of service (NULL pointer dereference and QEMU     process crash) via vectors involving a remote NDIS     control message packet (bsc#967012)

  - CVE-2016-2391: The ohci_bus_start function in the USB     OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU     allowed local guest OS administrators to cause a denial     of service (NULL pointer dereference and QEMU process     crash) via vectors related to multiple eof_timers     (bsc#967013)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982018)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982017)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982019)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982285)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982222)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982223)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983982)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983961)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982959)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (bsc#991080)

  - CVE-2016-6490: Infinite loop in the virtio framework. A     privileged user inside the guest could have used this     flaw to crash the Qemu instance on the host resulting in     DoS (bsc#991466)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994771)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (bsc#994774)

  - CVE-2016-7116: Host directory sharing via Plan 9 File     System(9pfs) was vulnerable to a directory/path     traversal issue. A privileged user inside guest could     have used this flaw to access undue files on the host     (bsc#996441)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (bsc#994760)

  - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus     a OOB access and/or infinite loop issue could have     allowed a privileged user inside guest to crash the Qemu     process resulting in DoS (bsc#997858)

  - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus     a infinite loop issue could have allowed a privileged     user inside guest to crash the Qemu process resulting in     DoS (bsc#997859)

This non-security issue was fixed :

  - bsc#1000048: Fix migration failure where target host is     a soon to be released SLES 12 SP2. Qemu's spice code     gets an assertion.

This update was imported from the SUSE:SLE-12-SP1:Update update project.

qemu was updated to fix 19 security issues. These security issues were fixed :

  - CVE-2016-2392: The is_rndis function in the USB Net     device emulator (hw/usb/dev-network.c) in QEMU did not     properly validate USB configuration descriptor objects,     which allowed local guest OS administrators to cause a     denial of service (NULL pointer dereference and QEMU     process crash) via vectors involving a remote NDIS     control message packet (bsc#967012)

  - CVE-2016-2391: The ohci_bus_start function in the USB     OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU     allowed local guest OS administrators to cause a denial     of service (NULL pointer dereference and QEMU process     crash) via vectors related to multiple eof_timers     (bsc#967013)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982018)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982017)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982019)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982285)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982222)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982223)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983982)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983961)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982959)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (bsc#991080)

  - CVE-2016-6490: Infinite loop in the virtio framework. A     privileged user inside the guest could have used this     flaw to crash the Qemu instance on the host resulting in     DoS (bsc#991466)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994771)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (bsc#994774)

  - CVE-2016-7116: Host directory sharing via Plan 9 File     System(9pfs) was vulnerable to a directory/path     traversal issue. A privileged user inside guest could     have used this flaw to access undue files on the host     (bsc#996441)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (bsc#994760)

  - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus     a OOB access and/or infinite loop issue could have     allowed a privileged user inside guest to crash the Qemu     process resulting in DoS (bsc#997858)

  - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus     a infinite loop issue could have allowed a privileged     user inside guest to crash the Qemu process resulting in     DoS (bsc#997859)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264).

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188).

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188).

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping     (bsc#974038).

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130).

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138).

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4453: The vmsvga_fifo_run function allowed     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a VGA     command (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed     local guest OS administrators to obtain sensitive host     memory information or cause a denial of service (QEMU     process crash) by changing FIFO registers and issuing a     VGA command, which triggered an out-of-bounds read     (bsc#982224)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295).

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-5105: Stack information leakage while reading     configuration (bsc#982024)

  - CVE-2016-5106: Out-of-bounds write while setting     controller properties (bsc#982025)

  - CVE-2016-5107: Out-of-bounds read in     megasas_lookup_frame() function (bsc#982026)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function allowed local guest OS users to     cause a denial of service (QEMU process crash) or     possibly execute arbitrary code via a crafted iSCSI     asynchronous I/O ioctl call (bsc#982286)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-5337: The megasas_ctrl_get_info function     allowed local guest OS administrators to obtain     sensitive host memory information via vectors related to     reading device control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984)

  - CVE-2016-5403: virtio: unbounded memory allocation on     host via guest leading to DoS (XSA-184) (bsc#990923)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843).

  - CVE-2016-6833: A use-after-free issue in the VMWARE     VMXNET3 NIC device support allowed privileged user     inside guest to crash the Qemu instance resulting in DoS     (bsc#994775).

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421).

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625).

  - CVE-2016-6836: VMWARE VMXNET3 NIC device allowed     privileged user inside the guest to leak information. It     occured while processing transmit(tx) queue, when it     reaches the end of packet (bsc#994761).

  - CVE-2016-6888: A integer overflow int the VMWARE VMXNET3     NIC device support, during the initialisation of new     packets in the device, could have allowed a privileged     user inside guest to crash the Qemu instance resulting     in DoS (bsc#994772).

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7154: Use-after-free vulnerability in the FIFO     event channel code in Xen allowed local guest OS     administrators to cause a denial of service (host crash)     and possibly execute arbitrary code or obtain sensitive     information via an invalid guest frame number     (bsc#997731).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7154: Use-after-free vulnerability in the FIFO     event channel code in Xen allowed local guest OS     administrators to cause a denial of service (host crash)     and possibly execute arbitrary code or obtain sensitive     information via an invalid guest frame number     (bsc#997731)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device allowed     privileged user inside the guest to leak information. It     occured while processing transmit(tx) queue, when it     reaches the end of packet (bsc#994761)

  - CVE-2016-6888: A integer overflow int the VMWARE VMXNET3     NIC device support, during the initialisation of new     packets in the device, could have allowed a privileged     user inside guest to crash the Qemu instance resulting     in DoS (bsc#994772)

  - CVE-2016-6833: A use-after-free issue in the VMWARE     VMXNET3 NIC device support allowed privileged user     inside guest to crash the Qemu instance resulting in DoS     (bsc#994775)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (boo#994761)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994772)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (boo#994775)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6259: Xen did not implement Supervisor Mode     Access Prevention (SMAP) whitelisting in 32-bit     exception and event delivery, which allowed local 32-bit     PV guest OS kernels to cause a denial of service     (hypervisor and VM crash) by triggering a safety check     (bsc#988676)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (boo#990923)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6259: Xen did not implement Supervisor Mode     Access Prevention (SMAP) whitelisting in 32-bit     exception and event delivery, which allowed local 32-bit     PV guest OS kernels to cause a denial of service     (hypervisor and VM crash) by triggering a safety check     (bsc#988676)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982224)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982286)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982024)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982025)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982026)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

These non-security issues were fixed :

  - boo#991934: xen hypervisor crash in csched_acct

  - boo#992224: During boot of Xen Hypervisor, Failed to get     contiguous memory for DMA from Xen

  - boo#955104: Virsh reports error 'one or more references     were leaked after disconnect from hypervisor' when     'virsh save' failed due to 'no response from client     after 6 keepalive messages'

  - boo#959552: Migration of HVM guest leads into libvirt     segmentation fault

  - boo#993665: Migration of xen guests finishes in: One or     more references were leaked after disconnect from the     hypervisor

  - boo#959330: Guest migrations using virsh results in     error 'Internal error: received hangup / error event on     socket'

  - boo#990500: VM virsh migration fails with keepalive     error: ':virKeepAliveTimerInternal:143 : No response     from client'

  - boo#953518: Unplug also SCSI disks in     qemu-xen-traditional for upstream unplug protocol

  - boo#953518: xen_platform: unplug also SCSI disks in     qemu-xen

  - boo#971949: Support (by ignoring) xl migrate --live. xl     migrations are always live 

  - boo#970135: New virtualization project clock test     randomly fails on Xen

  - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6,     model=79)

  - boo#985503: vif-route broken

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     fails remove patch because it can not fix the bug

  - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2     alpha3 failed on sles11sp4 xen host.

  - boo#986586: Out of memory (oom) during boot on 'modprobe     xenblk' (non xen kernel) init.50-hvm-xen_conf

  - boo#900418: Dump cannot be performed on SLES12 XEN

  - boo#953339, boo#953362, boo#953518, boo#984981:
    Implement SUSE specific unplug protocol for emulated PCI     devices in PVonHVM guests to qemu-xen-upstream 

  - boo#954872: script block-dmmd not working as expected -     libxl: error: libxl_dm.c (Additional fixes) block-dmmd

  - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from     xvda 

  - boo#958848: HVM guest crash at /usr/src/packages/BUILD/     xen-4.4.2-testing/obj/default/balloon/balloon.c:407

  - boo#949889: Fail to install 32-bit paravirt VM under     SLES12SP1Beta3 XEN

  - boo#954872: script block-dmmd not working as expected -     libxl: error: libxl_dm.c (another modification)     block-dmmd

  - boo#961600: Poor performance when Xen HVM domU     configured with max memory greater than current memory

  - boo#963161: Windows VM getting stuck during load while a     VF is assigned to it after upgrading to latest     maintenance updates

  - boo#976058: Xen error running simple HVM guest (Post     Alpha 2 xen+qemu)

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     on xen fails for 'Domain is not running on destination     host'. qemu-ignore-kvm-tpr-opt-on-migration.patch 

  - boo#973631: AWS EC2 kdump issue

  - boo#964427: Discarding device blocks: failed -     Input/output error

This update for xen fixes the following issues :

These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7154: Use-after-free vulnerability in the FIFO     event channel code in Xen allowed local guest OS     administrators to cause a denial of service (host crash)     and possibly execute arbitrary code or obtain sensitive     information via an invalid guest frame number     (bsc#997731)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (boo#994761)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994772)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (boo#994775)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (boo#990923)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982224)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982286)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982024)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982025)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982026)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

These non-security issues were fixed :

  - boo#991934: xen hypervisor crash in csched_acct 

  - boo#992224: [HPS Bug] During boot of Xen Hypervisor,     Failed to get contiguous memory for DMA from Xen 

  - boo#970135: new virtualization project clock test     randomly fails on Xen 

  - boo#971949 xl: Support (by ignoring) xl migrate --live.
    xl migrations are always live 

  - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6,     model=79) 

  - boo#985503: vif-route broken 

  - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2     alpha3 failed on sles11sp4 xen host

  - boo#986586: out of memory (oom) during boot on 'modprobe     xenblk' (non xen kernel) 

  - boo#953339, boo#953362, boo#953518, boo#984981)     boo#953339, boo#953362, boo#953518, boo#984981:
    Implement SUSE specific unplug protocol for emulated PCI     devices in PVonHVM guests to qemu-xen-upstream 

  - boo#958848: HVM guest crash at /usr/src/packages/BUILD/     xen-4.4.2-testing/obj/default/balloon/balloon.c:407 

  - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from     xvda 

  - boo#954872: script block-dmmd not working as expected 

  - boo#961600: L3: poor performance when Xen HVM domU     configured with max memory greater than current memory 

  - boo#979035: restore xm migrate fixes for boo#955399/     boo#955399 

  - boo#963161: Windows VM getting stuck during load while a     VF is assigned to it after upgrading to latest     maintenance updates boo#963161

  - boo#976058: Xen error running simple HVM guest (Post     Alpha 2 xen+qemu) 

  - boo#973631: AWS EC2 kdump issue 

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     on xen fails for 'Domain is not running on destination     host'. 

  - boo#964427: Discarding device blocks: failed -     Input/output error

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785).

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789).

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792).

  - CVE-2016-6836: Information leakage in     vmxnet3_complete_packet (bsc#994761).

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. Aprivileged user inside guest     c... (bsc#994772).

  - CVE-2016-6833: Use after free while writing     (bsc#994775).

  - CVE-2016-6835: Buffer overflow in     vmxnet_tx_pkt_parse_headers() in vmxnet3     deviceemulation. (bsc#994625).

  - CVE-2016-6834: An infinite loop during packet     fragmentation (bsc#994421).

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675).

  - CVE-2016-6259: Xen did not implement Supervisor Mode     Access Prevention (SMAP) whitelisting in 32-bit     exception and event delivery, which allowed local 32-bit     PV guest OS kernels to cause a denial of service     (hypervisor and VM crash) by triggering a safety check     (bsc#988676).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201609-01 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    Local users within a guest QEMU environment can execute arbitrary code       within the host or a cause a Denial of Service condition of the QEMU       guest process.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
96782	Fedora 24 : 2:qemu (2017-12394e2cc7)	Nessus	Fedora Local Security Checks	medium
96677	Fedora 25 : 2:qemu (2017-b953d4d3a4)	Nessus	Fedora Local Security Checks	medium
94758	SUSE SLES12 Security Update : qemu (SUSE-SU-2016:2781-1)	Nessus	SuSE Local Security Checks	medium
94669	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : qemu, qemu-kvm vulnerabilities (USN-3125-1)	Nessus	Ubuntu Local Security Checks	critical
94309	openSUSE Security Update : qemu (openSUSE-2016-1234)	Nessus	SuSE Local Security Checks	medium
94277	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2589-1)	Nessus	SuSE Local Security Checks	medium
94269	SUSE SLES12 Security Update : xen (SUSE-SU-2016:2533-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
94038	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2507-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
94000	openSUSE Security Update : xen (openSUSE-2016-1170) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93999	openSUSE Security Update : xen (openSUSE-2016-1169) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93935	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:2473-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93697	GLSA-201609-01 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium

CVE-2016-6836

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins