svn commit: r418049 - head/security/vuxml

Jason Unovitch junovitch at FreeBSD.org
Mon Jul 4 19:02:28 UTC 2016 

Author: junovitch
Date: Mon Jul  4 19:02:26 2016
New Revision: 418049
URL: https://svnweb.freebsd.org/changeset/ports/418049

Log:
  Document Xen Security Advisories (XSAs 173, 175, 176, 178, 179, and 180).
  
  XSAs 171, 172, 174, and 181 are not applicable to FreeBSD.
  
  Discussed with:	royger
  Security:	CVE-2014-3672
  Security:	CVE-2016-3710
  Security:	CVE-2016-3712
  Security:	CVE-2016-4963
  Security:	CVE-2016-4480
  Security:	CVE-2016-4962
  Security:	CVE-2016-3960
  Security:	https://vuxml.FreeBSD.org/freebsd/e800cd4b-4212-11e6-942d-bc5ff45d0f28.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e6ce6f50-4212-11e6-942d-bc5ff45d0f28.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e589ae90-4212-11e6-942d-bc5ff45d0f28.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e43b210a-4212-11e6-942d-bc5ff45d0f28.html
  Security:	https://vuxml.FreeBSD.org/freebsd/e2fca11b-4212-11e6-942d-bc5ff45d0f28.html
  Security:	https://vuxml.FreeBSD.org/freebsd/d51ced72-4212-11e6-942d-bc5ff45d0f28.html

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Mon Jul  4 18:14:18 2016	(r418048)
+++ head/security/vuxml/vuln.xml	Mon Jul  4 19:02:26 2016	(r418049)
@@ -58,6 +58,214 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-tools -- Unrestricted qemu logging</topic>
+    <affects>
+      <package>
+	<name>xen-tools</name>
+	<range><lt>4.7.0_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html">
+	  <p>When the libxl toolstack launches qemu for HVM guests, it pipes the
+	    output of stderr to a file in /var/log/xen.  This output is not
+	    rate-limited in any way.  The guest can easily cause qemu to print
+	    messages to stderr, causing this file to become arbitrarily large.
+	    </p>
+	  <p>The disk containing the logfile can be exausted, possibly causing a
+	    denial-of-service (DoS).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2014-3672</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-180.html</url>
+    </references>
+    <dates>
+      <discovery>2016-05-23</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic>
+    <affects>
+      <package>
+	<name>xen-tools</name>
+	<range><lt>4.7.0_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html">
+	  <p>Qemu VGA module allows banked access to video memory using the
+	    window at 0xa00000 and it supports different access modes with
+	    different address calculations.</p>
+	  <p>Qemu VGA module allows guest to edit certain registers in 'vbe'
+	    and 'vga' modes.</p>
+	  <p>A privileged guest user could use CVE-2016-3710 to exceed the bank
+	    address window and write beyond the said memory area, potentially
+	    leading to arbitrary code execution with privileges of the Qemu
+	    process.  If the system is not using stubdomains, this will be in
+	    domain 0.</p>
+	  <p>A privileged guest user could use CVE-2016-3712 to cause potential
+	    integer overflow or OOB read access issues in Qemu, resulting in a DoS
+	    of the guest itself.  More dangerous effect, such as data leakage or
+	    code execution, are not known but cannot be ruled out.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3710</cvename>
+      <cvename>CVE-2016-3712</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-179.html</url>
+    </references>
+    <dates>
+      <discovery>2016-05-09</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic>
+    <affects>
+      <package>
+	<name>xen-tools</name>
+	<range><lt>4.7.0_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html">
+	  <p>libxl's device-handling code freely uses and trusts information
+	    from the backend directories in xenstore.</p>
+	  <p>A malicious driver domain can deny service to management tools.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4963</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-178.html</url>
+    </references>
+    <dates>
+      <discovery>2016-06-02</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic>
+    <affects>
+      <package>
+	<name>xen-kernel</name>
+	<range><lt>4.7.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html">
+	  <p>The Page Size (PS) page table entry bit exists at all page table
+	    levels other than L1.  Its meaning is reserved in L4, and
+	    conditionally reserved in L3 and L2 (depending on hardware
+	    capabilities).  The software page table walker in the hypervisor,
+	    however, so far ignored that bit in L4 and (on respective hardware)
+	    L3 entries, resulting in pages to be treated as page tables which
+	    the guest OS may not have designated as such.  If the page in
+	    question is writable by an unprivileged user, then that user will
+	    be able to map arbitrary guest memory.</p>
+	  <p>On vulnerable OSes, guest user mode code may be able to establish
+	    mappings of arbitrary memory inside the guest, allowing it to
+	    elevate its privileges inside the guest.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4480</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-176.html</url>
+    </references>
+    <dates>
+      <discovery>2016-05-17</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic>
+    <affects>
+      <package>
+	<name>xen-tools</name>
+	<range><lt>4.7.0_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html">
+	  <p>Various parts of libxl device-handling code inappropriately use
+	    information from (partially) guest controlled areas of xenstore.</p>
+	  <p>A malicious guest administrator can cause denial of service by
+	    resource exhaustion.</p>
+	  <p>A malicious guest administrator can confuse and/or deny service to
+	    management facilities.</p>
+	  <p>A malicious guest administrator of a guest configured with channel
+	    devices may be able to escalate their privilege to that of the
+	    backend domain (i.e., normally, to that of the host).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-4962</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-175.html</url>
+    </references>
+    <dates>
+      <discovery>2016-06-02</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28">
+    <topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic>
+    <affects>
+      <package>
+	<name>xen-kernel</name>
+	<range><ge>3.4</ge><lt>4.7.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Xen Project reports:</p>
+	<blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html">
+	  <p>In the x86 shadow pagetable code, the guest frame number of a
+	    superpage mapping is stored in a 32-bit field.  If a shadowed guest
+	    can cause a superpage mapping of a guest-physical address at or
+	    above 2^44 to be shadowed, the top bits of the address will be lost,
+	    causing an assertion failure or NULL dereference later on, in code
+	    that removes the shadow.</p>
+	  <p>A HVM guest using shadow pagetables can cause the host to crash.
+	    </p>
+	  <p>A PV guest using shadow pagetables (i.e. being migrated) with PV
+	    superpages enabled (which is not the default) can crash the host, or
+	    corrupt hypervisor memory, and so a privilege escalation cannot be
+	    ruled out.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3960</cvename>
+      <url>http://xenbits.xen.org/xsa/advisory-173.html</url>
+    </references>
+    <dates>
+      <discovery>2016-04-18</discovery>
+      <entry>2016-07-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="313e9557-41e8-11e6-ab34-002590263bf5">
     <topic>wireshark -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-head mailing list