| Errata ID | 372 |
|---|---|
| Date | 2015-09-23 |
| Source package | xen-4.1 |
| Fixed in version | 4.1.3-21.52.201509171449 |
| Description | The following security vulnerabilities have been fixed in xen-4.1:
* x86/mm: Fix loop increment in paging_log_dirty_range() (CVE-2012-5511)
fix was incomplete
* tools: xenstored: if the reply is too big then send E2BIG error
(CVE-2013-4416)
* x86/HVM: only allow ring 0 guest code to make hypercalls (CVE-2013-4554)
* x86/AMD: work around erratum 793 (CVE-2013-6885)
* VMX: fix cr0.cd handling (CVE-2013-2212)
* PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
(CVE-2014-1666)
* Denial of service against host by malicious HVM guest with assigned PCI
device with pass-through (Long latency MMIO mapping operations are not
preemptible) (CVE-2015-2752)
* HVM qemu unexpectedly enabling emulated VGA graphics backends
(CVE-2015-2152)
* Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340)
* Denial of service (host interrupt handling confusion) due to potential
unintended writes to host MSI message data field via qemu by untrusted
guest administrators (CVE-2015-4103)
* Denial of service (unexpected interrupt and host crash) due to PCI MSI mask
bits inadvertently exposed to guests (CVE-2015-4104)
* Denial of service due to guest triggerable qemu MSI-X pass-through error
messages filling up the host storage (CVE-2015-4105)
* Unmediated PCI command register access in qemu (CVE-2015-2756)
* Unmediated PCI register access in qemu possibly allows privilege
escalation, host crash (Denial of Service), and leaked information
(CVE-2015-4106)
* A privileged guest user in a guest with an AMD PCNet ethernet card enabled
can potentially use this flaw to execute arbitrary code on the host with
the privileges of the hosting QEMU process (CVE-2015-3209)
* The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way
through a loop, which allows local 32-bit PV guest administrators to
cause a denial of service (large loop and system hang) via a hypercall_iret
call with EFLAGS.VM set (CVE-2015-4164)
* xl command line config handling stack overflow (CVE-2015-3259)
* QEMU heap overflow flaw while processing certain ATAPI commands
(CVE-2015-5154)
* QEMU leak of uninitialized heap memory in rtl8139 device model
(CVE-2015-5165)
In addition the use of va_end() after va_copy() has been fixed. |
| Additional notes | |
| CVE ID | CVE-2012-5511 CVE-2013-4416 CVE-2013-4554 CVE-2013-6885 CVE-2013-2212 CVE-2014-1666 CVE-2015-2752 CVE-2015-2152 CVE-2015-3340 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-2756 CVE-2015-4106 CVE-2015-3209 CVE-2015-4164 CVE-2015-3259 CVE-2015-5154 CVE-2015-5165 |
| UCS Bug number | #35104 #38565 |
