Date: Mon, 4 Jul 2016 19:02:27 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418049 - head/security/vuxml Message-ID: <201607041902.u64J2RWJ033768@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Mon Jul 4 19:02:26 2016 New Revision: 418049 URL: https://svnweb.freebsd.org/changeset/ports/418049 Log: Document Xen Security Advisories (XSAs 173, 175, 176, 178, 179, and 180). XSAs 171, 172, 174, and 181 are not applicable to FreeBSD. Discussed with: royger Security: CVE-2014-3672 Security: CVE-2016-3710 Security: CVE-2016-3712 Security: CVE-2016-4963 Security: CVE-2016-4480 Security: CVE-2016-4962 Security: CVE-2016-3960 Security: https://vuxml.FreeBSD.org/freebsd/e800cd4b-4212-11e6-942d-bc5ff45d0f28.html Security: https://vuxml.FreeBSD.org/freebsd/e6ce6f50-4212-11e6-942d-bc5ff45d0f28.html Security: https://vuxml.FreeBSD.org/freebsd/e589ae90-4212-11e6-942d-bc5ff45d0f28.html Security: https://vuxml.FreeBSD.org/freebsd/e43b210a-4212-11e6-942d-bc5ff45d0f28.html Security: https://vuxml.FreeBSD.org/freebsd/e2fca11b-4212-11e6-942d-bc5ff45d0f28.html Security: https://vuxml.FreeBSD.org/freebsd/d51ced72-4212-11e6-942d-bc5ff45d0f28.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jul 4 18:14:18 2016 (r418048) +++ head/security/vuxml/vuln.xml Mon Jul 4 19:02:26 2016 (r418049) @@ -58,6 +58,214 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-tools -- Unrestricted qemu logging</topic> + <affects> + <package> + <name>xen-tools</name> + <range><lt>4.7.0_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html"> + <p>When the libxl toolstack launches qemu for HVM guests, it pipes the + output of stderr to a file in /var/log/xen. This output is not + rate-limited in any way. The guest can easily cause qemu to print + messages to stderr, causing this file to become arbitrarily large. + </p> + <p>The disk containing the logfile can be exausted, possibly causing a + denial-of-service (DoS).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2014-3672</cvename> + <url>http://xenbits.xen.org/xsa/advisory-180.html</url> + </references> + <dates> + <discovery>2016-05-23</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + + <vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic> + <affects> + <package> + <name>xen-tools</name> + <range><lt>4.7.0_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html"> + <p>Qemu VGA module allows banked access to video memory using the + window at 0xa00000 and it supports different access modes with + different address calculations.</p> + <p>Qemu VGA module allows guest to edit certain registers in 'vbe' + and 'vga' modes.</p> + <p>A privileged guest user could use CVE-2016-3710 to exceed the bank + address window and write beyond the said memory area, potentially + leading to arbitrary code execution with privileges of the Qemu + process. If the system is not using stubdomains, this will be in + domain 0.</p> + <p>A privileged guest user could use CVE-2016-3712 to cause potential + integer overflow or OOB read access issues in Qemu, resulting in a DoS + of the guest itself. More dangerous effect, such as data leakage or + code execution, are not known but cannot be ruled out.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-3710</cvename> + <cvename>CVE-2016-3712</cvename> + <url>http://xenbits.xen.org/xsa/advisory-179.html</url> + </references> + <dates> + <discovery>2016-05-09</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + + <vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic> + <affects> + <package> + <name>xen-tools</name> + <range><lt>4.7.0_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html"> + <p>libxl's device-handling code freely uses and trusts information + from the backend directories in xenstore.</p> + <p>A malicious driver domain can deny service to management tools.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4963</cvename> + <url>http://xenbits.xen.org/xsa/advisory-178.html</url> + </references> + <dates> + <discovery>2016-06-02</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + + <vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic> + <affects> + <package> + <name>xen-kernel</name> + <range><lt>4.7.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html"> + <p>The Page Size (PS) page table entry bit exists at all page table + levels other than L1. Its meaning is reserved in L4, and + conditionally reserved in L3 and L2 (depending on hardware + capabilities). The software page table walker in the hypervisor, + however, so far ignored that bit in L4 and (on respective hardware) + L3 entries, resulting in pages to be treated as page tables which + the guest OS may not have designated as such. If the page in + question is writable by an unprivileged user, then that user will + be able to map arbitrary guest memory.</p> + <p>On vulnerable OSes, guest user mode code may be able to establish + mappings of arbitrary memory inside the guest, allowing it to + elevate its privileges inside the guest.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4480</cvename> + <url>http://xenbits.xen.org/xsa/advisory-176.html</url> + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + + <vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic> + <affects> + <package> + <name>xen-tools</name> + <range><lt>4.7.0_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html"> + <p>Various parts of libxl device-handling code inappropriately use + information from (partially) guest controlled areas of xenstore.</p> + <p>A malicious guest administrator can cause denial of service by + resource exhaustion.</p> + <p>A malicious guest administrator can confuse and/or deny service to + management facilities.</p> + <p>A malicious guest administrator of a guest configured with channel + devices may be able to escalate their privilege to that of the + backend domain (i.e., normally, to that of the host).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4962</cvename> + <url>http://xenbits.xen.org/xsa/advisory-175.html</url> + </references> + <dates> + <discovery>2016-06-02</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + + <vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28"> + <topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic> + <affects> + <package> + <name>xen-kernel</name> + <range><ge>3.4</ge><lt>4.7.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html"> + <p>In the x86 shadow pagetable code, the guest frame number of a + superpage mapping is stored in a 32-bit field. If a shadowed guest + can cause a superpage mapping of a guest-physical address at or + above 2^44 to be shadowed, the top bits of the address will be lost, + causing an assertion failure or NULL dereference later on, in code + that removes the shadow.</p> + <p>A HVM guest using shadow pagetables can cause the host to crash. + </p> + <p>A PV guest using shadow pagetables (i.e. being migrated) with PV + superpages enabled (which is not the default) can crash the host, or + corrupt hypervisor memory, and so a privilege escalation cannot be + ruled out.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-3960</cvename> + <url>http://xenbits.xen.org/xsa/advisory-173.html</url> + </references> + <dates> + <discovery>2016-04-18</discovery> + <entry>2016-07-04</entry> + </dates> + </vuln> + <vuln vid="313e9557-41e8-11e6-ab34-002590263bf5"> <topic>wireshark -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607041902.u64J2RWJ033768>