http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8cd5390889716677a0b92444d6e087a

openSUSE-SU-2016:3237

[oss-security] 20161003 CVE request Qemu: net: Infinite loop in mcf_fec_do_tx

[oss-security] 20161003 Re: CVE request Qemu: net: Infinite loop in mcf_fec_do_tx

93273

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

[qemu-devel] 20160922 [PATCH v2] net: mcf: limit buffer descriptor count

GLSA-201611-11

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates xen to version 4.4.4_06 to fix the following issues :

  - An unprivileged user in a guest could gain guest could     escalate privilege to that of the guest kernel, if it     had could invoke the instruction emulator. Only 64-bit     x86 HVM guest were affected. Linux guest have not been     vulnerable. (boo#1016340, CVE-2016-10013)

  - An unprivileged user in a 64 bit x86 guest could gain     information from the host, crash the host or gain     privilege of the host (boo#1009107, CVE-2016-9383)

  - An unprivileged guest process could (unintentionally or     maliciously) obtain or ocorrupt sensitive information of     other programs in the same guest. Only x86 HVM guests     have been affected. The attacker needs to be able to     trigger the Xen instruction emulator. (boo#1000106,     CVE-2016-7777)

  - A guest on x86 systems could read small parts of     hypervisor stack data (boo#1012651, CVE-2016-9932)

  - A malicious guest kernel could hang or crash the host     system (boo#1014298, CVE-2016-10024)

  - A malicious guest administrator could escalate their     privilege to that of the host. Only affects x86 HVM     guests using qemu older version 1.6.0 or using the     qemu-xen-traditional. (boo#1011652, CVE-2016-9637)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator on x86 HVM guests,     especially on Intel CPUs (boo#1009100, CVE-2016-9386)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator (on AMD CPUs) or crash     the system (on Intel CPUs) on 32-bit x86 HVM guests.
    Only guest operating systems that allowed a new task to     start in VM86 mode were affected. (boo#1009103,     CVE-2016-9382)

  - A malicious guest administrator could crash the host on     x86 PV guests only (boo#1009104, CVE-2016-9385)

  - A malicious guest administrator could get privilege of     the host emulator process on x86 HVM guests.
    (boo#1009109, CVE-2016-9381)

  - A vulnerability in pygrub allowed a malicious guest     administrator to obtain the contents of sensitive host     files, or even delete those files (boo#1009111,     CVE-2016-9379, CVE-2016-9380)

  - A privileged guest user could cause an infinite loop in     the RTL8139 ethernet emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007157,     CVE-2016-8910)

  - A privileged guest user could cause an infinite loop in     the intel-hda sound emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007160,     CVE-2016-8909)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero vulnerability of the JAZZ RC4030 chipset emulation     (boo#1005004 CVE-2016-8667)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero issue of the 16550A UART emulation (boo#1005005,     CVE-2016-8669)

  - A privileged guest user could cause an infinite loop in     the USB xHCI emulation, causing a DoS situation on the     host (boo#1004016, CVE-2016-8576)

  - A privileged guest user could cause an infinite loop in     the ColdFire Fash Ethernet Controller emulation, causing     a DoS situation on the host (boo#1003030, CVE-2016-7908)

  - A privileged guest user could cause an infinite loop in     the AMD PC-Net II emulation, causing a DoS situation on     the host (boo#1003032, CVE-2016-7909)

  - Cause a reload of clvm in the block-dmmd script to avoid     a blocking lvchange call (boo#1002496)

  - Also unplug SCSI disks in qemu-xen-traditional for     upstream unplug protocol. Before a single SCSI storage     devices added to HVM guests could appear multiple times     in the guest. (boo#953518)

  - Fix a kernel panic / black screen when trying to boot a     XEN kernel on some UEFI firmwares (boo#1000195)

This updates xen to version 4.5.5 to fix the following issues :

  - An unprivileged user in a guest could gain guest could     escalate privilege to that of the guest kernel, if it     had could invoke the instruction emulator. Only 64-bit     x86 HVM guest were affected. Linux guest have not been     vulnerable. (boo#1016340, CVE-2016-10013)

  - An unprivileged user in a 64 bit x86 guest could gain     information from the host, crash the host or gain     privilege of the host (boo#1009107, CVE-2016-9383)

  - An unprivileged guest process could (unintentionally or     maliciously) obtain or ocorrupt sensitive information of     other programs in the same guest. Only x86 HVM guests     have been affected. The attacker needs to be able to     trigger the Xen instruction emulator. (boo#1000106,     CVE-2016-7777)

  - A guest on x86 systems could read small parts of     hypervisor stack data (boo#1012651, CVE-2016-9932)

  - A malicious guest kernel could hang or crash the host     system (boo#1014298, CVE-2016-10024)

  - The epro100 emulated network device caused a memory leak     in the host when unplugged in the guest. A privileged     user in the guest could use this to cause a DoS on the     host or potentially crash the guest process on the host     (boo#1013668, CVE-2016-9101)

  - The ColdFire Fast Ethernet Controller was vulnerable to     an infinite loop that could be trigged by a privileged     user in the guest, leading to DoS (boo#1013657,     CVE-2016-9776)

  - A malicious guest administrator could escalate their     privilege to that of the host. Only affects x86 HVM     guests using qemu older version 1.6.0 or using the     qemu-xen-traditional. (boo#1011652, CVE-2016-9637)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator on x86 HVM guests,     especially on Intel CPUs (boo#1009100, CVE-2016-9386)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator (on AMD CPUs) or crash     the system (on Intel CPUs) on 32-bit x86 HVM guests.
    Only guest operating systems that allowed a new task to     start in VM86 mode were affected. (boo#1009103,     CVE-2016-9382)

  - A malicious guest administrator could crash the host on     x86 PV guests only (boo#1009104, CVE-2016-9385)

  - An unprivileged guest user was able to crash the guest.
    (boo#1009108, CVE-2016-9377, CVE-2016-9378)

  - A malicious guest administrator could get privilege of     the host emulator process on x86 HVM guests.
    (boo#1009109, CVE-2016-9381)

  - A vulnerability in pygrub allowed a malicious guest     administrator to obtain the contents of sensitive host     files, or even delete those files (boo#1009111,     CVE-2016-9379, CVE-2016-9380)

  - A privileged guest user could cause an infinite loop in     the RTL8139 ethernet emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007157,     CVE-2016-8910)

  - A privileged guest user could cause an infinite loop in     the intel-hda sound emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007160,     CVE-2016-8909)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero vulnerability of the JAZZ RC4030 chipset emulation     (boo#1005004 CVE-2016-8667)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero issue of the 16550A UART emulation (boo#1005005,     CVE-2016-8669)

  - A privileged guest user could cause a memory leak in the     USB EHCI emulation, causing a DoS situation on the host     (boo#1003870, CVE-2016-7995)

  - A privileged guest user could cause an infinite loop in     the USB xHCI emulation, causing a DoS situation on the     host (boo#1004016, CVE-2016-8576)

  - A privileged guest user could cause an infinite loop in     the ColdFire Fash Ethernet Controller emulation, causing     a DoS situation on the host (boo#1003030, CVE-2016-7908)

  - A privileged guest user could cause an infinite loop in     the AMD PC-Net II emulation, causing a DoS situation on     the host (boo#1003032, CVE-2016-7909)

  - Cause a reload of clvm in the block-dmmd script to avoid     a blocking lvchange call (boo#1002496)

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652)

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100)

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103)

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106)

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157)

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1007160)

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004)

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005)

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030)

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu to version 2.6.2 fixes the several issues.

These security issues were fixed :

  - CVE-2016-7161: Heap-based buffer overflow in the     .receive callback of xlnx.xps-ethernetlite in QEMU (aka     Quick Emulator) allowed attackers to execute arbitrary     code on the QEMU host via a large ethlite packet     (bsc#1001151).

  - CVE-2016-7170: OOB stack memory access when processing     svga command (bsc#998516).

  - CVE-2016-7466: xhci memory leakage during device unplug     (bsc#1000345).

  - CVE-2016-7422: NULL pointer dereference in     virtqueu_map_desc (bsc#1000346).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1002550).

  - CVE-2016-7995: Memory leak in ehci_process_itd     (bsc#1003612).

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1003878).

  - CVE-2016-8578: The v9fs_iov_vunmarshal function in     fsdev/9p-iov-marshal.c allowed local guest OS     administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) by sending     an empty string parameter to a 9P operation     (bsc#1003894).

  - CVE-2016-9105: Memory leakage in v9fs_link     (bsc#1007494).

  - CVE-2016-8577: Memory leak in the v9fs_read function in     hw/9pfs/9p.c allowed local guest OS administrators to     cause a denial of service (memory consumption) via     vectors related to an I/O read operation (bsc#1003893).

  - CVE-2016-9106: Memory leakage in v9fs_write     (bsc#1007495).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1004707).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002557).

  - CVE-2016-9101: eepro100 memory leakage whern unplugging     a device (bsc#1007391).

  - CVE-2016-8668: The rocker_io_writel function in     hw/net/rocker/rocker.c allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging failure to limit DMA buffer size     (bsc#1004706).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1006538).

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1006536).

  - CVE-2016-7994: Memory leak in     virtio_gpu_resource_create_2d (bsc#1003613).

  - CVE-2016-9104: Integer overflow leading to OOB access in     9pfs (bsc#1007493).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c allowed local guest OS administrators to     cause a denial of service (divide-by-zero error and QEMU     process crash) via a large interval timer reload value     (bsc#1004702).

  - CVE-2016-7907: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002549).

These non-security issues were fixed :

  - Change kvm-supported.txt to be per-architecture     documentation, stored in the package documentation     directory of each per-arch package (bsc#1005353).

  - Update support doc to include current ARM64 (AArch64)     support stance (bsc#1005374).

  - Fix migration failure when snapshot also has been done     (bsc#1008148).

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116).

  - Add qmp-commands.txt documentation file back in. It was     inadvertently dropped.

  - Add an x86 cpu option (l3-cache) to specify that an L3     cache is present and another option (cpuid-0xb) to     enable the cpuid 0xb leaf (bsc#1007769).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652)

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100)

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103)

  - CVE-2016-9385: x86 segment base write emulation lacked     canonical address checks, allowing a malicious guest     administrator to crash the host (bsc#1009104)

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106)

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157)

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1007160)

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004)

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005)

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1004016)

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030)

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to version 4.7.1 to fix 17 security issues.

These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652).

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100).

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103).

  - CVE-2016-9385: x86 segment base write emulation lacked     canonical address checks, allowing a malicious guest     administrator to crash the host (bsc#1009104).

  - CVE-2016-9384: Guest 32-bit ELF symbol table load     leaking host data to unprivileged guest users     (bsc#1009105).

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107).

  - CVE-2016-9377: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108).

  - CVE-2016-9378: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109).

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111).

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111).

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032).

These non-security issues were fixed :

  - bsc#1004981: Xen RPM didn't contain debug hypervisor for     EFI systems

  - bsc#1007941: Xen tools limited the number of vcpus to     256 

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for xen to version 4.5.5 fixes several issues. These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652)

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100)

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103)

  - CVE-2016-9385: x86 segment base write emulation lacked     canonical address checks, allowing a malicious guest     administrator to crash the host (bsc#1009104)

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107)

  - CVE-2016-9378: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108)

  - CVE-2016-9377: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106)

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157)

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1007160).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004)

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005)

  - CVE-2016-7995: A memory leak in ehci_process_itd allowed     a privileged user inside guest to DoS the host     (bsc#1003870).

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1004016).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030)

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in USB xHCI emulation (CVE-2016-7466     bsc#1000345)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Fix case of disk corruption with migration due to     improper internal state tracking (bsc#996524)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

xen was updated to version 4.7.1 to fix 17 security issues. These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652).

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100).

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103).

  - CVE-2016-9385: x86 segment base write emulation lacked     canonical address checks, allowing a malicious guest     administrator to crash the host (bsc#1009104).

  - CVE-2016-9384: Guest 32-bit ELF symbol table load     leaking host data to unprivileged guest users     (bsc#1009105).

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107).

  - CVE-2016-9377: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108).

  - CVE-2016-9378: x86 software interrupt injection was     mis-handled, allowing an unprivileged guest user to     crash the guest (bsc#1009108)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109).

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111).

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111).

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix several security issues. These security issues were fixed :

  - CVE-2016-9637: ioport array overflow allowing a     malicious guest administrator can escalate their     privilege to that of the host (bsc#1011652).

  - CVE-2016-9386: x86 null segments were not always treated     as unusable allowing an unprivileged guest user program     to elevate its privilege to that of the guest operating     system. Exploit of this vulnerability is easy on Intel     and more complicated on AMD (bsc#1009100)

  - CVE-2016-9382: x86 task switch to VM86 mode was     mis-handled, allowing a unprivileged guest process to     escalate its privilege to that of the guest operating     system on AMD hardware. On Intel hardware a malicious     unprivileged guest process can crash the guest     (bsc#1009103)

  - CVE-2016-9383: The x86 64-bit bit test instruction     emulation was broken, allowing a guest to modify     arbitrary memory leading to arbitray code execution     (bsc#1009107)

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9380: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-9379: Delimiter injection vulnerabilities in     pygrub allowed guest administrators to obtain the     contents of sensitive host files or delete the files     (bsc#1009111)

  - CVE-2016-7777: Xen did not properly honor CR0.TS and     CR0.EM, which allowed local x86 HVM guest OS users to     read or modify FPU, MMX, or XMM register state     information belonging to arbitrary tasks on the guest by     modifying an instruction while the hypervisor is     preparing to emulate it (bsc#1000106)

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1007157)

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c in allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via a large interval timer reload     value (bsc#1005004)

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1005005)

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1003030)

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1003032)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in USB xHCI emulation (CVE-2016-7466     bsc#1000345)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Fix case of disk corruption with migration due to     improper internal state tracking (bsc#996524)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes the following issues :

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE11-SP4

  - Remove semi-contradictory and now determined erroneous     statement in kvm-supported.txt regarding not running ntp     in kvm guest when kvm-clock is used. It is now     recommended to use ntp in guest in this case.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu to version 2.6.2 fixes the several issues. These security issues were fixed :

  - CVE-2016-7161: Heap-based buffer overflow in the     .receive callback of xlnx.xps-ethernetlite in QEMU (aka     Quick Emulator) allowed attackers to execute arbitrary     code on the QEMU host via a large ethlite packet     (bsc#1001151).

  - CVE-2016-7170: OOB stack memory access when processing     svga command (bsc#998516).

  - CVE-2016-7466: xhci memory leakage during device unplug     (bsc#1000345).

  - CVE-2016-7422: NULL pointer dereference in     virtqueu_map_desc (bsc#1000346).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1002550).

  - CVE-2016-7995: Memory leak in ehci_process_itd     (bsc#1003612).

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1003878).

  - CVE-2016-8578: The v9fs_iov_vunmarshal function in     fsdev/9p-iov-marshal.c allowed local guest OS     administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) by sending     an empty string parameter to a 9P operation     (bsc#1003894).

  - CVE-2016-9105: Memory leakage in v9fs_link     (bsc#1007494).

  - CVE-2016-8577: Memory leak in the v9fs_read function in     hw/9pfs/9p.c allowed local guest OS administrators to     cause a denial of service (memory consumption) via     vectors related to an I/O read operation (bsc#1003893).

  - CVE-2016-9106: Memory leakage in v9fs_write     (bsc#1007495).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1004707).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002557).

  - CVE-2016-9101: eepro100 memory leakage whern unplugging     a device (bsc#1007391).

  - CVE-2016-8668: The rocker_io_writel function in     hw/net/rocker/rocker.c allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging failure to limit DMA buffer size     (bsc#1004706).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1006538).

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1006536).

  - CVE-2016-7994: Memory leak in     virtio_gpu_resource_create_2d (bsc#1003613).

  - CVE-2016-9104: Integer overflow leading to OOB access in     9pfs (bsc#1007493).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c allowed local guest OS administrators to     cause a denial of service (divide-by-zero error and QEMU     process crash) via a large interval timer reload value     (bsc#1004702).

  - CVE-2016-7907: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002549).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-11 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A privileged user /process within a guest QEMU environment can cause a       Denial of Service condition against the QEMU guest process or the host.
  Workaround :

    There is no known workaround at this time.

- CVE-2016-7155: pvscsi: OOB read and infinite loop (bz     #1373463)

  - CVE-2016-7156: pvscsi: infinite loop when building SG     list (bz #1373480)

  - CVE-2016-7156: pvscsi: infinite loop when processing IO     requests (bz #1373480)

  - CVE-2016-7170: vmware_vga: OOB stack memory access (bz     #1374709)

  - CVE-2016-7157: mptsas: invalid memory access (bz     #1373505)

  - CVE-2016-7466: usb: xhci memory leakage during device     unplug (bz #1377838)

  - CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)

  - CVE-2016-7422: virtio: NULL pointer dereference (bz     #1376756)

  - CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz     #1381193)

  - CVE-2016-8576: usb: xHCI: infinite loop vulnerability     (bz #1382322)

  - CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-5403)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6833, CVE-2016-6834, CVE-2016-6888)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6835)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6836)

Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host files.
(CVE-2016-7116)

Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7155)

Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7156, CVE-2016-7421)

Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7157)

Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-7161)

Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the VMware VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7170)

Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7422)

Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7423)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7466)

Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet Controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7908)

Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7909)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7994)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7995)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8576)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8577, CVE-2016-8578)

It was discovered that QEMU incorrectly handled Rocker switch emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8668)

It was discovered that QEMU incorrectly handled Intel HDA controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8909)

Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8910)

Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9101)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9102, CVE-2016-9104, CVE-2016-9105)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. (CVE-2016-9103)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9106).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma     (bz #1360600)

  - CVE-2016-6833: vmxnet3: use-after-free (bz #1368982)

  - CVE-2016-6490: virtio: infinite loop in virtqueue_pop     (bz #1361428)

  - CVE-2016-7156: pvscsi: infinite loop when building SG     list (bz #1373480)

  - CVE-2016-7170: vmware_vga: OOB stack memory access (bz     #1374709)

  - CVE-2016-7161: net: Heap overflow in     xlnx.xps-ethernetlite (bz #1379298)

  - CVE-2016-7466: usb: xhci memory leakage during device     unplug (bz #1377838)

  - CVE-2016-7422: virtio: NULL pointer dereference (bz     #1376756)

  - CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz     #1381193)

  - CVE-2016-8576: usb: xHCI: infinite loop vulnerability     (bz #1382322)

  - CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)

  - Don't depend on edk2 roms where they aren't available     (bz #1373576)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been found in qemu-kvm :

CVE-2016-7161

Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in qemu-kvm allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.

CVE-2016-7170

The vmsvga_fifo_run function in hw/display/vmware_vga.c in qemu-kvm is vulnerable to an OOB memory access.

CVE-2016-7908

The mcf_fec_do_tx function in hw/net/mcf_fec.c in qemu-kvm does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.2+dfsg-6+deb7u16.

We recommend that you upgrade your qemu-kvm packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been found in QEMU :

CVE-2016-7161

Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.

CVE-2016-7170

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) is vulnerable to an OOB memory access.

CVE-2016-7908

The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.2+dfsg-6+deb7u16.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
96253	openSUSE Security Update : xen (openSUSE-2017-5)	Nessus	SuSE Local Security Checks	high
96252	openSUSE Security Update : xen (openSUSE-2017-4)	Nessus	SuSE Local Security Checks	high
96150	SUSE SLES11 Security Update : xen (SUSE-SU-2016:3273-1)	Nessus	SuSE Local Security Checks	high
96129	openSUSE Security Update : qemu (openSUSE-2016-1504)	Nessus	SuSE Local Security Checks	critical
96032	SUSE SLES11 Security Update : xen (SUSE-SU-2016:3174-1)	Nessus	SuSE Local Security Checks	high
95910	openSUSE Security Update : xen (openSUSE-2016-1477)	Nessus	SuSE Local Security Checks	high
95822	SUSE SLES12 Security Update : xen (SUSE-SU-2016:3156-1)	Nessus	SuSE Local Security Checks	high
95761	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3083-1)	Nessus	SuSE Local Security Checks	high
95757	openSUSE Security Update : qemu (openSUSE-2016-1451)	Nessus	SuSE Local Security Checks	critical
95709	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3067-1)	Nessus	SuSE Local Security Checks	high
95624	SUSE SLES11 Security Update : xen (SUSE-SU-2016:3044-1)	Nessus	SuSE Local Security Checks	high
95537	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2988-1)	Nessus	SuSE Local Security Checks	critical
95396	SUSE SLES12 Security Update : qemu (SUSE-SU-2016:2936-1)	Nessus	SuSE Local Security Checks	critical
95316	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:2902-1)	Nessus	SuSE Local Security Checks	critical
95283	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2879-1)	Nessus	SuSE Local Security Checks	critical
95018	GLSA-201611-11 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
94794	Fedora 25 : 2:qemu (2016-3d3218ec41)	Nessus	Fedora Local Security Checks	low
94669	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : qemu, qemu-kvm vulnerabilities (USN-3125-1)	Nessus	Ubuntu Local Security Checks	critical
94122	Fedora 24 : 2:qemu (2016-a56fb613a8)	Nessus	Fedora Local Security Checks	critical
93970	Debian DLA-653-1 : qemu-kvm security update	Nessus	Debian Local Security Checks	critical
93969	Debian DLA-652-1 : qemu security update	Nessus	Debian Local Security Checks	critical

CVE-2016-7908

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins