View | Details | Raw Unified | Return to bug 201416 | Differences between
and this patch

Collapse All | Expand All

(-)vuln.xml (+604 lines)
Lines 57-62 Link Here
57
57
58
-->
58
-->
59
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
59
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
60
  <vuln vid="f1deed23-27ec-11e5-a4a5-002590263bf5">
61
    <topic>xen-tools -- xl command line config handling stack overflow</topic>
62
    <affects>
63
      <package>
64
	<name>xen-tools</name>
65
	<range><ge>4.1</ge><lt>4.5.0_8</lt></range>
66
      </package>
67
    </affects>
68
    <description>
69
      <body xmlns="http://www.w3.org/1999/xhtml">
70
	<p>The Xen Project reports:</p>
71
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-137.html">
72
	  <p>The xl command line utility mishandles long configuration values
73
	    when passed as command line arguments, with a buffer overrun.</p>
74
	  <p>A semi-trusted guest administrator or controller, who is intended
75
	    to be able to partially control the configuration settings for a
76
	    domain, can escalate their privileges to that of the whole host.</p>
77
	</blockquote>
78
      </body>
79
    </description>
80
    <references>
81
      <cvename>CVE-2015-3259</cvename>
82
      <url>http://xenbits.xen.org/xsa/advisory-137.html</url>
83
    </references>
84
    <dates>
85
      <discovery>2015-07-07</discovery>
86
      <entry>2015-07-11</entry>
87
    </dates>
88
  </vuln>
89
90
  <vuln vid="8c31b288-27ec-11e5-a4a5-002590263bf5">
91
    <topic>xen-kernel -- vulnerability in the iret hypercall handler</topic>
92
    <affects>
93
      <package>
94
	<name>xen-kernel</name>
95
	<range><ge>3.1</ge><lt>4.5.0_3</lt></range>
96
      </package>
97
    </affects>
98
    <description>
99
      <body xmlns="http://www.w3.org/1999/xhtml">
100
	<p>The Xen Project reports:</p>
101
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-136.html">
102
	  <p>A buggy loop in Xen's compat_iret() function iterates the wrong way
103
	    around a 32-bit index.  Any 32-bit PV guest kernel can trigger this
104
	    vulnerability by attempting a hypercall_iret with EFLAGS.VM set.</p>
105
	  <p>Given the use of __get/put_user(), and that the virtual addresses
106
	    in question are contained within the lower canonical half, the guest
107
	    cannot clobber any hypervisor data.  Instead, Xen will take up to
108
	    2^33 pagefaults, in sequence, effectively hanging the host.</p>
109
	  <p>Malicious guest administrators can cause a denial of service
110
	    affecting the whole system.</p>
111
	</blockquote>
112
      </body>
113
    </description>
114
    <references>
115
      <cvename>CVE-2015-4164</cvename>
116
      <url>http://xenbits.xen.org/xsa/advisory-136.html</url>
117
    </references>
118
    <dates>
119
      <discovery>2015-06-11</discovery>
120
      <entry>2015-07-11</entry>
121
    </dates>
122
  </vuln>
123
124
  <vuln vid="80e846ff-27eb-11e5-a4a5-002590263bf5">
125
    <topic>xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior</topic>
126
    <affects>
127
      <package>
128
	<name>xen-kernel</name>
129
	<range><ge>4.2</ge><lt>4.5.0_3</lt></range>
130
      </package>
131
    </affects>
132
    <description>
133
      <body xmlns="http://www.w3.org/1999/xhtml">
134
	<p>The Xen Project reports:</p>
135
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-134.html">
136
	  <p>With the introduction of version 2 grant table operations, a
137
	    version check became necessary for most grant table related
138
	    hypercalls.  The GNTTABOP_swap_grant_ref call was lacking such a
139
	    check.  As a result, the subsequent code behaved as if version 2 was
140
	    in use, when a guest issued this hypercall without a prior
141
	    GNTTABOP_setup_table or GNTTABOP_set_version.</p>
142
	  <p>The effect is a possible NULL pointer dereferences.  However, this
143
	    cannot be exploited to elevate privileges of the attacking domain,
144
	    as the maximum memory address that can be wrongly accessed this way
145
	    is bounded to far below the start of hypervisor memory.</p>
146
	  <p>Malicious or buggy guest domain kernels can mount a denial of
147
	    service attack which, if successful, can affect the whole system.</p>
148
	</blockquote>
149
      </body>
150
    </description>
151
    <references>
152
      <cvename>CVE-2015-4163</cvename>
153
      <url>http://xenbits.xen.org/xsa/advisory-134.html</url>
154
    </references>
155
    <dates>
156
      <discovery>2015-06-11</discovery>
157
      <entry>2015-07-11</entry>
158
    </dates>
159
  </vuln>
160
161
  <vuln vid="ce658051-27ea-11e5-a4a5-002590263bf5">
162
    <topic>xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo</topic>
163
    <affects>
164
      <package>
165
	<name>xen-kernel</name>
166
	<range><ge>4.0</ge><lt>4.5.0_3</lt></range>
167
      </package>
168
    </affects>
169
    <description>
170
      <body xmlns="http://www.w3.org/1999/xhtml">
171
	<p>The Xen Project reports:</p>
172
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-132.html">
173
	  <p>The handler for XEN_DOMCTL_gettscinfo failed to initialize a
174
	    padding field subsequently copied to guest memory.</p>
175
	  <p>A similar leak existed in XEN_SYSCTL_getdomaininfolist, which is
176
	    being addressed here regardless of that operation being declared
177
	    unsafe for disaggregation by XSA-77.</p>
178
	  <p>Malicious or buggy stub domain kernels or tool stacks otherwise
179
	    living outside of Domain0 may be able to read sensitive data
180
	    relating to the hypervisor or other guests not under the control of
181
	    that domain.</p>
182
	</blockquote>
183
      </body>
184
    </description>
185
    <references>
186
      <cvename>CVE-2015-3340</cvename>
187
      <url>http://xenbits.xen.org/xsa/advisory-132.html</url>
188
    </references>
189
    <dates>
190
      <discovery>2015-04-20</discovery>
191
      <entry>2015-07-11</entry>
192
    </dates>
193
  </vuln>
194
195
  <vuln vid="3d657340-27ea-11e5-a4a5-002590263bf5">
196
    <topic>xen-tools -- Unmediated PCI register access in qemu</topic>
197
    <affects>
198
      <package>
199
	<name>xen-tools</name>
200
	<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
201
      </package>
202
    </affects>
203
    <description>
204
      <body xmlns="http://www.w3.org/1999/xhtml">
205
	<p>The Xen Project reports:</p>
206
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-131.html">
207
	  <p>Qemu allows guests to not only read, but also write all parts of
208
	    the PCI config space (but not extended config space) of passed
209
	    through PCI devices not explicitly dealt with for (partial)
210
	    emulation purposes.</p>
211
	  <p>Since the effect depends on the specific purpose of the the config
212
	    space field, it's not possbile to give a general statement about the
213
	    exact impact on the host or other guests.  Privilege escalation,
214
	    host crash (Denial of Service), and leaked information all cannot be
215
	    excluded.</p>
216
	</blockquote>
217
      </body>
218
    </description>
219
    <references>
220
      <cvename>CVE-2015-4106</cvename>
221
      <url>http://xenbits.xen.org/xsa/advisory-131.html</url>
222
    </references>
223
    <dates>
224
      <discovery>2015-06-02</discovery>
225
      <entry>2015-07-11</entry>
226
    </dates>
227
  </vuln>
228
229
  <vuln vid="cbe1a0f9-27e9-11e5-a4a5-002590263bf5">
230
    <topic>xen-tools -- Guest triggerable qemu MSI-X pass-through error messages</topic>
231
    <affects>
232
      <package>
233
	<name>xen-tools</name>
234
	<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
235
      </package>
236
    </affects>
237
    <description>
238
      <body xmlns="http://www.w3.org/1999/xhtml">
239
	<p>The Xen Project reports:</p>
240
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-130.html">
241
	  <p>Device model code dealing with guest PCI MSI-X interrupt management
242
	    activities logs messages on certain (supposedly) invalid guest
243
	    operations.</p>
244
	  <p>A buggy or malicious guest repeatedly invoking such operations may
245
	    result in the host disk to fill up, possibly leading to a Denial of
246
	    Service.</p>
247
	</blockquote>
248
      </body>
249
    </description>
250
    <references>
251
      <cvename>CVE-2015-4105</cvename>
252
      <url>http://xenbits.xen.org/xsa/advisory-130.html</url>
253
    </references>
254
    <dates>
255
      <discovery>2015-06-02</discovery>
256
      <entry>2015-07-11</entry>
257
    </dates>
258
  </vuln>
259
260
  <vuln vid="4db8a0f4-27e9-11e5-a4a5-002590263bf5">
261
    <topic>xen-tools -- PCI MSI mask bits inadvertently exposed to guests</topic>
262
    <affects>
263
      <package>
264
	<name>xen-tools</name>
265
	<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
266
      </package>
267
    </affects>
268
    <description>
269
      <body xmlns="http://www.w3.org/1999/xhtml">
270
	<p>The Xen Project reports:</p>
271
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-129.html">
272
	  <p>The mask bits optionally available in the PCI MSI capability
273
	    structure are used by the hypervisor to occasionally suppress
274
	    interrupt delivery.  Unprivileged guests were, however, nevertheless
275
	    allowed direct control of these bits.</p>
276
	  <p>Interrupts may be observed by Xen at unexpected times, which may
277
	    lead to a host crash and therefore a Denial of Service.</p>
278
	</blockquote>
279
      </body>
280
    </description>
281
    <references>
282
      <cvename>CVE-2015-4104</cvename>
283
      <url>http://xenbits.xen.org/xsa/advisory-129.html</url>
284
    </references>
285
    <dates>
286
      <discovery>2015-06-02</discovery>
287
      <entry>2015-07-11</entry>
288
    </dates>
289
  </vuln>
290
291
  <vuln vid="af38cfec-27e7-11e5-a4a5-002590263bf5">
292
    <topic>xen-tools -- Potential unintended writes to host MSI message data field via qemu</topic>
293
    <affects>
294
      <package>
295
	<name>xen-tools</name>
296
	<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
297
      </package>
298
    </affects>
299
    <description>
300
      <body xmlns="http://www.w3.org/1999/xhtml">
301
	<p>The Xen Project reports:</p>
302
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-128.html">
303
	  <p>Logic is in place to avoid writes to certain host config space
304
	    fields when the guest must nevertheless be able to access their
305
	    virtual counterparts. A bug in how this logic deals with accesses
306
	    spanning multiple fields allows the guest to write to the host MSI
307
	    message data field.</p>
308
	  <p>While generally the writes write back the values previously read,
309
	    their value in config space may have got changed by the host between
310
	    the qemu read and write. In such a case host side interrupt handling
311
	    could become confused, possibly losing interrupts or allowing
312
	    spurious interrupt injection into other guests.</p>
313
	  <p>Certain untrusted guest administrators may be able to confuse host
314
	    side interrupt handling, leading to a Denial of Service.</p>
315
	</blockquote>
316
      </body>
317
    </description>
318
    <references>
319
      <cvename>CVE-2015-4103</cvename>
320
      <url>http://xenbits.xen.org/xsa/advisory-128.html</url>
321
    </references>
322
    <dates>
323
      <discovery>2015-06-02</discovery>
324
      <entry>2015-07-11</entry>
325
    </dates>
326
  </vuln>
327
328
  <vuln vid="103a47d5-27e7-11e5-a4a5-002590263bf5">
329
    <topic>xen-kernel -- Certain domctl operations may be abused to lock up the host</topic>
330
    <affects>
331
      <package>
332
	<name>xen-kernel</name>
333
	<range><ge>4.3</ge><lt>4.5.0_3</lt></range>
334
      </package>
335
    </affects>
336
    <description>
337
      <body xmlns="http://www.w3.org/1999/xhtml">
338
	<p>The Xen Project reports:</p>
339
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-127.html">
340
	  <p>XSA-77 put the majority of the domctl operations on a list
341
	    excepting them from having security advisories issued for them if
342
	    any effects their use might have could hamper security. Subsequently
343
	    some of them got declared disaggregation safe, but for a small
344
	    subset this was not really correct: Their (mis-)use may result in
345
	    host lockups.</p>
346
	  <p>As a result, the potential security benefits of toolstack
347
	    disaggregation are not always fully realised.</p>
348
	  <p>Domains deliberately given partial management control may be able
349
	    to deny service to the entire host.</p>
350
	  <p>As a result, in a system designed to enhance security by radically
351
	    disaggregating the management, the security may be reduced.  But,
352
	    the security will be no worse than a non-disaggregated design.</p>
353
	</blockquote>
354
      </body>
355
    </description>
356
    <references>
357
      <cvename>CVE-2015-2751</cvename>
358
      <url>http://xenbits.xen.org/xsa/advisory-127.html</url>
359
    </references>
360
    <dates>
361
      <discovery>2015-03-31</discovery>
362
      <entry>2015-07-11</entry>
363
    </dates>
364
  </vuln>
365
366
  <vuln vid="79f401cd-27e6-11e5-a4a5-002590263bf5">
367
    <topic>xen-tools -- Unmediated PCI command register access in qemu</topic>
368
    <affects>
369
      <package>
370
	<name>xen-tools</name>
371
	<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
372
      </package>
373
    </affects>
374
    <description>
375
      <body xmlns="http://www.w3.org/1999/xhtml">
376
	<p>The Xen Project reports:</p>
377
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-126.html">
378
	  <p>HVM guests are currently permitted to modify the memory and I/O
379
	    decode bits in the PCI command register of devices passed through to
380
	    them. Unless the device is an SR-IOV virtual function, after
381
	    disabling one or both of these bits subsequent accesses to the MMIO
382
	    or I/O port ranges would - on PCI Express devices - lead to
383
	    Unsupported Request responses. The treatment of such errors is
384
	    platform specific.</p>
385
	  <p>Furthermore (at least) devices under control of the Linux pciback
386
	    driver in the host are handed to guests with the aforementioned bits
387
	    turned off.  This means that such accesses can similarly lead to
388
	    Unsupported Request responses until these flags are set as needed by
389
	    the guest.</p>
390
	  <p>In the event that the platform surfaces aforementioned UR responses
391
	    as Non-Maskable Interrupts, and either the OS is configured to treat
392
	    NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to
393
	    treat these errors as fatal, the host would crash, leading to a
394
	    Denial of Service.</p>
395
	</blockquote>
396
      </body>
397
    </description>
398
    <references>
399
      <cvename>CVE-2015-2756</cvename>
400
      <url>http://xenbits.xen.org/xsa/advisory-126.html</url>
401
    </references>
402
    <dates>
403
      <discovery>2015-03-31</discovery>
404
      <entry>2015-07-11</entry>
405
    </dates>
406
  </vuln>
407
408
  <vuln vid="d40c66cb-27e4-11e5-a4a5-002590263bf5">
409
    <topic>xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible</topic>
410
    <affects>
411
      <package>
412
	<name>xen-kernel</name>
413
	<range><lt>4.5.0_3</lt></range>
414
      </package>
415
      <package>
416
	<name>xen-tools</name>
417
	<range><lt>4.5.0_6</lt></range>
418
      </package>
419
    </affects>
420
    <description>
421
      <body xmlns="http://www.w3.org/1999/xhtml">
422
	<p>The Xen Project reports:</p>
423
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-125.html">
424
	  <p>The XEN_DOMCTL_memory_mapping hypercall allows long running
425
	    operations without implementing preemption.</p>
426
	  <p>This hypercall is used by the device model as part of the emulation
427
	    associated with configuration of PCI devices passed through to HVM
428
	    guests and is therefore indirectly exposed to those guests.</p>
429
	  <p>This can cause a physical CPU to become busy for a significant
430
	    period, leading to a host denial of service in some cases.</p>
431
	  <p>If a host denial of service is not triggered then it may instead be
432
	    possible to deny service to the domain running the device model,
433
	    e.g. domain 0.</p>
434
	  <p>This hypercall is also exposed more generally to all toolstacks.
435
	    However the uses of it in libxl based toolstacks are not believed
436
	    to open up any avenue of attack from an untrusted guest. Other
437
	    toolstacks may be vulnerable however.</p>
438
	  <p>The vulnerability is exposed via HVM guests which have a PCI device
439
	    assigned to them. A malicious HVM guest in such a configuration can
440
	    mount a denial of service attack affecting the whole system via its
441
	    associated device model (qemu-dm).</p>
442
	  <p>A guest is able to trigger this hypercall via operations which it
443
	    is legitimately expected to perform, therefore running the device
444
	    model as a stub domain does not offer protection against the host
445
	    denial of service issue. However it does offer some protection
446
	    against secondary issues such as denial of service against dom0.</p>
447
	</blockquote>
448
      </body>
449
    </description>
450
    <references>
451
      <cvename>CVE-2015-2752</cvename>
452
      <url>http://xenbits.xen.org/xsa/advisory-125.html</url>
453
    </references>
454
    <dates>
455
      <discovery>2015-03-31</discovery>
456
      <entry>2015-07-11</entry>
457
    </dates>
458
  </vuln>
459
460
  <vuln vid="83a28417-27e3-11e5-a4a5-002590263bf5">
461
    <topic>xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw</topic>
462
    <affects>
463
      <package>
464
	<name>xen-kernel</name>
465
	<range><lt>4.5.0_3</lt></range>
466
      </package>
467
    </affects>
468
    <description>
469
      <body xmlns="http://www.w3.org/1999/xhtml">
470
	<p>The Xen Project reports:</p>
471
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-123.html">
472
	  <p>Instructions with register operands ignore eventual segment
473
	    overrides encoded for them. Due to an insufficiently conditional
474
	    assignment such a bogus segment override can, however, corrupt a
475
	    pointer used subsequently to store the result of the instruction.</p>
476
	  <p>A malicious guest might be able to read sensitive data relating to
477
	    other guests, or to cause denial of service on the host. Arbitrary
478
	    code execution, and therefore privilege escalation, cannot be
479
	    excluded.</p>
480
	</blockquote>
481
      </body>
482
    </description>
483
    <references>
484
      <cvename>CVE-2015-2151</cvename>
485
      <url>http://xenbits.xen.org/xsa/advisory-123.html</url>
486
    </references>
487
    <dates>
488
      <discovery>2015-03-10</discovery>
489
      <entry>2015-07-11</entry>
490
    </dates>
491
  </vuln>
492
493
  <vuln vid="ef9d041e-27e2-11e5-a4a5-002590263bf5">
494
    <topic>xen-kernel -- Information leak through version information hypercall</topic>
495
    <affects>
496
      <package>
497
	<name>xen-kernel</name>
498
	<range><lt>4.5.0_3</lt></range>
499
      </package>
500
    </affects>
501
    <description>
502
      <body xmlns="http://www.w3.org/1999/xhtml">
503
	<p>The Xen Project reports:</p>
504
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-122.html">
505
	  <p>The code handling certain sub-operations of the
506
	    HYPERVISOR_xen_version hypercall fails to fully initialize all
507
	    fields of structures subsequently copied back to guest memory. Due
508
	    to this hypervisor stack contents are copied into the destination of
509
	    the operation, thus becoming visible to the guest.</p>
510
	  <p>A malicious guest might be able to read sensitive data relating to
511
	    other guests.</p>
512
	</blockquote>
513
      </body>
514
    </description>
515
    <references>
516
      <cvename>CVE-2015-2045</cvename>
517
      <url>http://xenbits.xen.org/xsa/advisory-122.html</url>
518
    </references>
519
    <dates>
520
      <discovery>2015-03-05</discovery>
521
      <entry>2015-07-11</entry>
522
    </dates>
523
  </vuln>
524
525
  <vuln vid="5023f559-27e2-11e5-a4a5-002590263bf5">
526
    <topic>xen-kernel -- Information leak via internal x86 system device emulation</topic>
527
    <affects>
528
      <package>
529
	<name>xen-kernel</name>
530
	<range><lt>4.5.0_3</lt></range>
531
      </package>
532
    </affects>
533
    <description>
534
      <body xmlns="http://www.w3.org/1999/xhtml">
535
	<p>The Xen Project reports:</p>
536
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-121.html">
537
	  <p>Emulation routines in the hypervisor dealing with certain system
538
	    devices check whether the access size by the guest is a supported
539
	    one. When the access size is unsupported these routines failed to
540
	    set the data to be returned to the guest for read accesses, so that
541
	    hypervisor stack contents are copied into the destination of the
542
	    operation, thus becoming visible to the guest.</p>
543
	  <p>A malicious HVM guest might be able to read sensitive data relating
544
	    to other guests.</p>
545
	</blockquote>
546
      </body>
547
    </description>
548
    <references>
549
      <cvename>CVE-2015-2044</cvename>
550
      <url>http://xenbits.xen.org/xsa/advisory-121.html</url>
551
    </references>
552
    <dates>
553
      <discovery>2015-03-05</discovery>
554
      <entry>2015-07-11</entry>
555
    </dates>
556
  </vuln>
557
558
  <vuln vid="0d732fd1-27e0-11e5-a4a5-002590263bf5">
559
    <topic>xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends</topic>
560
    <affects>
561
      <package>
562
	<name>xen-tools</name>
563
	<range><lt>4.5.0_6</lt></range>
564
      </package>
565
    </affects>
566
    <description>
567
      <body xmlns="http://www.w3.org/1999/xhtml">
568
	<p>The Xen Project reports:</p>
569
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-119.html">
570
	  <p>When instantiating an emulated VGA device for an x86 HVM guest qemu
571
	    will by default enable a backend to expose that device, either SDL
572
	    or VNC depending on the version of qemu and the build time
573
	    configuration.</p>
574
	  <p>The libxl toolstack library does not explicitly disable these
575
	    default backends when they are not enabled, leading to an unexpected
576
	    backend running.</p>
577
	  <p>If either SDL or VNC is explicitly enabled in the guest
578
	    configuration then only the expected backends will be enabled.</p>
579
	  <p>This affects qemu-xen and qemu-xen-traditional differently.</p>
580
	  <p>If qemu-xen was compiled with SDL support then this would result in
581
	    an SDL window being opened if $DISPLAY is valid, or a failure to
582
	    start the guest if not.</p>
583
	  <p>If qemu-xen was compiled without SDL support then qemu would
584
	    instead start a VNC server listening on ::1 (IPv6 localhost) or
585
	    127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC
586
	    password will not be configured even if one is present in the guest
587
	    configuration.</p>
588
	  <p>qemu-xen-traditional will never start a vnc backend unless
589
	    explicitly configured. However by default it will start an SDL
590
	    backend if it was built with SDL support and $DISPLAY is valid.</p>
591
	</blockquote>
592
      </body>
593
    </description>
594
    <references>
595
      <cvename>CVE-2015-2152</cvename>
596
      <url>http://xenbits.xen.org/xsa/advisory-119.html</url>
597
    </references>
598
    <dates>
599
      <discovery>2015-03-13</discovery>
600
      <entry>2015-07-11</entry>
601
    </dates>
602
  </vuln>
603
604
  <vuln vid="912cb7f7-27df-11e5-a4a5-002590263bf5">
605
    <topic>xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging</topic>
606
    <affects>
607
      <package>
608
	<name>xen-kernel</name>
609
	<range><ge>4.4</ge><lt>4.5.0_3</lt></range>
610
      </package>
611
    </affects>
612
    <description>
613
      <body xmlns="http://www.w3.org/1999/xhtml">
614
	<p>The Xen Project reports:</p>
615
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-118.html">
616
	  <p>On ARM systems the code which deals with virtualising the GIC
617
	    distributor would, under various circumstances, log messages on a
618
	    guest accessible code path without appropriate rate limiting.</p>
619
	  <p>A malicious guest could cause repeated logging to the hypervisor
620
	    console, leading to a Denial of Service attack.</p>
621
	</blockquote>
622
      </body>
623
    </description>
624
    <references>
625
      <cvename>CVE-2015-1563</cvename>
626
      <url>http://xenbits.xen.org/xsa/advisory-118.html</url>
627
    </references>
628
    <dates>
629
      <discovery>2015-01-29</discovery>
630
      <entry>2015-07-11</entry>
631
    </dates>
632
  </vuln>
633
634
  <vuln vid="785c86b1-27d6-11e5-a4a5-002590263bf5">
635
    <topic>xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated</topic>
636
    <affects>
637
      <package>
638
	<name>xen-kernel</name>
639
	<range><ge>4.5</ge><lt>4.5.0_3</lt></range>
640
      </package>
641
    </affects>
642
    <description>
643
      <body xmlns="http://www.w3.org/1999/xhtml">
644
	<p>The Xen Project reports:</p>
645
	<blockquote cite="http://xenbits.xen.org/xsa/advisory-117.html">
646
	  <p>When decoding a guest write to a specific register in the virtual
647
	    interrupt controller Xen would treat an invalid value as a critical
648
	    error and crash the host.</p>
649
	  <p>By writing an invalid value to the GICD.SGIR register a guest can
650
	    crash the host, resulting in a Denial of Service attack.</p>
651
	</blockquote>
652
      </body>
653
    </description>
654
    <references>
655
      <cvename>CVE-2015-0268</cvename>
656
      <url>http://xenbits.xen.org/xsa/advisory-117.html</url>
657
    </references>
658
    <dates>
659
      <discovery>2015-02-12</discovery>
660
      <entry>2015-07-11</entry>
661
    </dates>
662
  </vuln>
663
60
  <vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0">
664
  <vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0">
61
    <topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic>
665
    <topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic>
62
    <affects>
666
    <affects>

Return to bug 201416