Debian Xen vulnerabilities

CVE-2016-9377 [MEDIUM] CVE-2016-9377: xen - Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating ... Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid:

CVE-2016-7093 [HIGH] CVE-2016-7093: xen - Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite... Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-9932 [LOW] CVE-2016-9932: xen - CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM g... CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixi

CVE-2016-9637 [HIGH] CVE-2016-9637: qemu - The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as ... The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-5165 [CRITICAL] CVE-2015-5165: qemu - The C+ mode offload emulation in the RTL8139 network card device model in QEMU, ... The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a) sid: resolved (fixed in 1:2.4+dfsg-1

CVE-2015-8104 [CRITICAL] CVE-2015-8104: linux - The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x... The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. Scope: local bookworm: resolved (fixed in 4.2.6-2) bullseye: resolved (fixed in 4.2.6-2) forky: resolved (fixed in 4.2.6-2) sid: resolved (fixed i

CVE-2015-3456 [HIGH] CVE-2015-3456: qemu - The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and K... The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg

CVE-2015-5154 [HIGH] CVE-2015-5154: qemu - Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x an... Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a)

CVE-2015-8338 [HIGH] CVE-2015-8338: xen - Xen 4.6.x and earlier does not properly enforce limits on page order inputs for ... Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap, (3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations, which allows ARM guest OS administrators to cause a denial of service (CPU consumption, guest reboot, or watchdog timeout and host reboot) and possibly

CVE-2015-8341 [HIGH] CVE-2015-8341: xen - The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release... The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in

CVE-2015-7835 [HIGH] CVE-2015-7835: xen - The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not pro... The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.6.0-1) sid: resolved (fixed in 4.6.0-1)

CVE-2015-3209 [HIGH] CVE-2015-3209: qemu - Heap-based buffer overflow in the PCNET controller in QEMU allows remote attacke... Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-6) bullseye: resolved (fixed in 1:2.3+dfsg-6) forky: resolved (fixed in 1:2.3+dfsg-6) sid: resolved (fixe

CVE-2015-0361 [HIGH] CVE-2015-0361: xen - Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domain... Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown. Scope: local bookworm: resolved (fixed in 4.4.1-7) bullseye: resolved (fixed in 4.4.1-7) forky: resolved (fixed in 4.4.1-7) sid: resolved (fixed in 4.4.1-7) trixie: resolved (fixed in 4.4.1-7)

CVE-2015-8555 [HIGH] CVE-2015-8555: xen - Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and ... Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) fo

CVE-2015-2151 [HIGH] CVE-2015-2151: xen - The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment ove... The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-8) bullseye: resolved (fixe

CVE-2015-2751 [HIGH] CVE-2015-2751: xen - Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote ... Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. Scope: local bookworm: resolved (fixed in 4.4.1-9) bullseye: resolved (fixed in 4.4.1-9) forky: resolved (fixed in 4.4.1-9) sid: resolved (fixed in 4.4.1-9) trixie: resolved (fix

CVE-2015-5166 [HIGH] CVE-2015-5166: qemu - Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completel... Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a) sid: resolved (fixed in 1:2.

CVE-2015-4104 [HIGH] CVE-2015-4104: qemu - Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, ... Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolved (fixed in 1:2.3+dfsg-5) forky: resolved (fixed in 1:2.3+dfsg-5) sid: resolved (fixed in

CVE-2015-8550 [HIGH] CVE-2015-8550: linux - Xen, when used on a system providing PV backends, allows local guest OS administ... Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. Scope: local bookworm: resolved (fixed in 4.3.3-3) bullseye: resolved (fixed in 4.3.3-3) forky: resolved (fixed in 4.3.3-3) s

CVE-2015-8554 [HIGH] CVE-2015-8554: xen - Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen... Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path." Scope: local bookworm: resolved (fixed in 4.4.0-1)