From owner-svn-ports-head@freebsd.org Sun Jan 3 02:25:01 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AFA6A5375D; Sun, 3 Jan 2016 02:25:01 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 275D11F7B; Sun, 3 Jan 2016 02:25:01 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u032P0sN005231; Sun, 3 Jan 2016 02:25:00 GMT (envelope-from junovitch@FreeBSD.org) Received: (from junovitch@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u032P0VT005229; Sun, 3 Jan 2016 02:25:00 GMT (envelope-from junovitch@FreeBSD.org) Message-Id: <201601030225.u032P0VT005229@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: junovitch set sender to junovitch@FreeBSD.org using -f From: Jason Unovitch Date: Sun, 3 Jan 2016 02:25:00 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r405110 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 02:25:01 -0000 Author: junovitch Date: Sun Jan 3 02:25:00 2016 New Revision: 405110 URL: https://svnweb.freebsd.org/changeset/ports/405110 Log: Document recent QEMU denial of service vulnerabilities PR: 205813 PR: 205814 Security: CVE-2015-8701 Security: CVE-2015-8666 Security: CVE-2015-8619 Security: CVE-2015-8613 Security: CVE-2015-8567 Security: CVE-2015-8568 Security: CVE-2015-8558 Security: CVE-2015-7549 Security: CVE-2015-8504 Security: CVE-2015-7504 Security: CVE-2015-7512 Security: CVE-2015-8345 Security: https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/152acff3-b1bd-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/60cb2055-b1b8-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/3fb06284-b1b7-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/67feba97-b1b5-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Jan 3 02:09:57 2016 (r405109) +++ head/security/vuxml/vuln.xml Sun Jan 3 02:25:00 2016 (r405110) @@ -58,6 +58,426 @@ Notes: --> + + qemu -- denial of service vulnerability in Rocker switch emulation + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 0 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the Rocker switch emulation support is + vulnerable to an off-by-one error. It happens while processing + transmit(tx) descriptors in 'tx_consume' routine, if a descriptor + was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. +
+
A privileged user inside guest could use this flaw to cause memory + leakage on the host or crash the Qemu process instance resulting in + DoS issue.
+

+ + + + CVE-2015-8701 + ports/205813 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/12/28/6 + https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html + + + 2015-12-28 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in Q35 chipset emulation + + + qemu + qemu-devel + 2.5.0 + + + qemu-sbruno + qemu-user-static + 2.5.50.g20151224 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the Q35 chipset based pc system emulator + is vulnerable to a heap based buffer overflow. It occurs during VM + guest migration, as more(16 bytes) data is moved into allocated + (8 bytes) memory area.
+
A privileged guest user could use this issue to corrupt the VM + guest image, potentially leading to a DoS. This issue affects q35 + machine types.
+

+ + + + CVE-2015-8666 + http://www.openwall.com/lists/oss-security/2015/12/24/1 + http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb + https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb + + + 2015-11-19 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in Human Monitor Interface support + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 0 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the Human Monitor Interface(HMP) support + is vulnerable to an OOB write issue. It occurs while processing + 'sendkey' command in hmp_sendkey routine, if the command argument is + longer than the 'keyname_buf' buffer size.
+
A user/process could use this flaw to crash the Qemu process + instance resulting in DoS.
+

+ + + + CVE-2015-8619 + ports/205813 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/12/22/8 + https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html + + + 2015-12-23 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 0 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the SCSI MegaRAID SAS HBA emulation + support is vulnerable to a stack buffer overflow issue. It occurs + while processing the SCSI controller's CTRL_GET_INFO command. A + privileged guest user could use this flaw to crash the Qemu process + instance resulting in DoS.
+

+ + + + CVE-2015-8613 + ports/205813 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/12/21/7 + https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html + + + 2015-12-21 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 0 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator + support is vulnerable to a memory leakage flaw. It occurs when a + guest repeatedly tries to activate the vmxnet3 device.
+
A privileged guest user could use this flaw to leak host memory, + resulting in DoS on the host.
+

+ + + + CVE-2015-8567 + CVE-2015-8568 + ports/205813 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/12/15/4 + https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html + + + 2015-12-15 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in USB EHCI emulation support + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 2.5.50.g20151224 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the USB EHCI emulation support is + vulnerable to an infinite loop issue. It occurs during communication + between host controller interface(EHCI) and a respective device + driver. These two communicate via a isochronous transfer descriptor + list(iTD) and an infinite loop unfolds if there is a closed loop in + this list.
+
A privileges user inside guest could use this flaw to consume + excessive CPU cycles & resources on the host.
+

+ + + + CVE-2015-8558 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/12/14/9 + http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254 + https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254 + + + 2015-12-14 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in MSI-X support + + + qemu + qemu-devel + 2.5.0 + + + qemu-sbruno + qemu-user-static + 2.5.50.g20151224 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the PCI MSI-X support is vulnerable to + null pointer dereference issue. It occurs when the controller + attempts to write to the pending bit array(PBA) memory region. + Because the MSI-X MMIO support did not define the .write method.
+
A privileges used inside guest could use this flaw to crash the + Qemu process resulting in DoS issue.
+

+ + + + CVE-2015-7549 + http://www.openwall.com/lists/oss-security/2015/12/14/2 + http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b + https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b + + + 2015-06-26 + 2016-01-03 + + + + + qemu -- denial of service vulnerability in VNC + + + qemu + qemu-devel + 2.5.0 + + + qemu-sbruno + qemu-user-static + 2.5.50.g20151224 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the VNC display driver support is + vulnerable to an arithmetic exception flaw. It occurs on the VNC + server side while processing the 'SetPixelFormat' messages from a + client.
+
A privileged remote client could use this flaw to crash the guest + resulting in DoS.
+

+ + + + CVE-2015-8504 + http://www.openwall.com/lists/oss-security/2015/12/08/4 + http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 + https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 + + + 2015-12-08 + 2016-01-03 + + + + + qemu -- denial of service vulnerabilities in AMD PC-Net II NIC support + + + qemu + qemu-devel + 2.5.0 + + + qemu-sbruno + qemu-user-static + 2.5.50.g20151224 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the AMD PC-Net II Ethernet Controller + support is vulnerable to a heap buffer overflow flaw. While + receiving packets in the loopback mode, it appends CRC code to the + receive buffer. If the data size given is same as the receive buffer + size, the appended CRC code overwrites 4 bytes beyond this + 's->buffer' array.
+
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw + to crash the Qemu instance resulting in DoS or potentially execute + arbitrary code with privileges of the Qemu process on the host.
+

+
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets + from a remote host(non-loopback mode), fails to validate the + received data size, thus resulting in a buffer overflow issue. It + could potentially lead to arbitrary code execution on the host, with + privileges of the Qemu process. It requires the guest NIC to have + larger MTU limit.
+
A remote user could use this flaw to crash the guest instance + resulting in DoS or potentially execute arbitrary code on a remote + host with privileges of the Qemu process.
+

+ + + + CVE-2015-7504 + CVE-2015-7512 + http://www.openwall.com/lists/oss-security/2015/11/30/2 + http://www.openwall.com/lists/oss-security/2015/11/30/3 + http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7 + http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343 + https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7 + https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343 + + + 2015-11-30 + 2016-01-03 + + + + + qemu -- denial of service vulnerabilities in eepro100 NIC support + + + qemu + qemu-devel + 0 + + + qemu-sbruno + qemu-user-static + 0 + + + + +

Prasad J Pandit, Red Hat Product Security Team, reports:

+
Qemu emulator built with the i8255x (PRO100) emulation support is + vulnerable to an infinite loop issue. It could occur while + processing a chain of commands located in the Command Block List + (CBL). Each Command Block(CB) points to the next command in the + list. An infinite loop unfolds if the link to the next CB points + to the same block or there is a closed loop in the chain.
+
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw + to crash the Qemu instance resulting in DoS.
+

+ + + + CVE-2015-8345 + ports/205813 + ports/205814 + http://www.openwall.com/lists/oss-security/2015/11/25/3 + https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html + + + 2015-10-16 + 2016-01-03 + + + qemu -- denial of service vulnerability in virtio-net support