Debian Xen vulnerabilities

CVE-2016-7777 [MEDIUM] CVE-2016-7777: xen - Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows lo... Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in

CVE-2016-9378 [MEDIUM] CVE-2016-9378: xen - Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating ... Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolv

CVE-2016-2271 [MEDIUM] CVE-2016-2271: xen - VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM... VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie: resolved (f

CVE-2016-5242 [MEDIUM] CVE-2016-5242: xen - The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows lo... The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (

CVE-2016-4963 [MEDIUM] CVE-2016-4963: xen - The libxl device-handling in Xen through 4.6.x allows local guest OS users with ... The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid

CVE-2016-9384 [MEDIUM] CVE-2016-9384: xen - Xen 4.7 allows local guest OS users to obtain sensitive host information by load... Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)

CVE-2016-3158 [MEDIUM] CVE-2016-3158: xen - The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle wri... The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.

CVE-2016-1571 [MEDIUM] CVE-2016-1571: xen - The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.... The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. Scope: local bookworm: resolved (fixed in 4.8.0~rc3

CVE-2016-3159 [MEDIUM] CVE-2016-3159: xen - The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle ... The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-20

CVE-2016-9818 [MEDIUM] CVE-2016-9818: xen - Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (... Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)

CVE-2016-9816 [MEDIUM] CVE-2016-9816: xen - Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (... Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)

CVE-2016-9815 [MEDIUM] CVE-2016-9815: xen - Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (... Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)

CVE-2016-7154 [MEDIUM] CVE-2016-7154: xen - Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows ... Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.

CVE-2016-4962 [MEDIUM] CVE-2016-4962: xen - The libxl device-handling in Xen 4.6.x and earlier allows local OS guest adminis... The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: r

CVE-2016-7094 [MEDIUM] CVE-2016-7094: xen - Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administr... Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie: resolved (fixed

CVE-2016-9603 [MEDIUM] CVE-2016-9603: qemu - A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's ... A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the

CVE-2016-6259 [MEDIUM] CVE-2016-6259: xen - Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP... Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: re

CVE-2016-2270 [MEDIUM] CVE-2016-2270: xen - Xen 4.6.x and earlier allows local guest administrators to cause a denial of ser... Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie:

CVE-2016-9385 [MEDIUM] CVE-2016-9385: xen - The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x al... The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) tri

CVE-2016-3712 [MEDIUM] CVE-2016-3712: qemu - Integer overflow in the VGA module in QEMU allows local guest OS users to cause ... Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fixed in 1:2.6+dfsg-1) sid: resolved (fixed in 1:2.6+dfsg-1) trixie: reso