Debian Xen vulnerabilities

CVE-2015-4103 [MEDIUM] CVE-2015-4103: qemu - Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI ... Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolved (fixed in 1:2.3

CVE-2015-7812 [MEDIUM] CVE-2015-7812: xen - The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x thr... The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multicall interface. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.6.0-1) sid: resolved (fixed in 4.6.0-1) t

CVE-2015-5307 [MEDIUM] CVE-2015-5307: linux - The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x... The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. Scope: local bookworm: resolved (fixed in 4.2.6-1) bullseye: resolved (fixed in 4.2.6-1) forky: resolved (fixed in 4.2.6-1) sid:

CVE-2015-4163 [MEDIUM] CVE-2015-4163: xen - GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table op... GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in

CVE-2015-2752 [MEDIUM] CVE-2015-2752: xen - The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a... The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). Scope: local bookworm: resolved (fixed in 4.4.1-9) bullseye: resolved (fixed in 4.4.1-9) forky: resolv

CVE-2015-2756 [MEDIUM] CVE-2015-2756: qemu - QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to P... QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. Sco

CVE-2015-7970 [MEDIUM] CVE-2015-7970: xen - The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.... The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand. Scope: local bookworm: resolved (fixed

CVE-2015-4164 [MEDIUM] CVE-2015-4164: xen - The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a... The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.6.0-1) sid: re

CVE-2015-7814 [MEDIUM] CVE-2015-7814: xen - Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6... Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial management control to cause a denial of service (host crash) via vectors involving the destruction of a domain and using XENMEM_decrease_reservation to reduce the memory of the domain. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullsey

CVE-2015-7969 [MEDIUM] CVE-2015-7969: xen - Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators ... Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_ge

CVE-2015-8615 [MEDIUM] CVE-2015-8615: xen - The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limi... The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ). Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: res

CVE-2015-8339 [MEDIUM] CVE-2015-8339: xen - The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does ... The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (

CVE-2015-4106 [MEDIUM] CVE-2015-4106: qemu - QEMU does not properly restrict write access to the PCI config space for certain... QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolv

CVE-2015-8340 [MEDIUM] CVE-2015-8340: xen - The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does ... The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) for

CVE-2015-4105 [MEDIUM] CVE-2015-4105: qemu - Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error message... Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolved (fixed in 1:2.3+dfsg-5) forky: resolved (fixed in 1:2.3+dfsg-5) sid: resolved (fixed in 1:2.3+

CVE-2015-2044 [LOW] CVE-2015-2044: xen - The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x do... The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. Scope: local bookworm: resolved (fixed in 4.4.1-8) bullseye: resolved (fixed in 4.4.1-8) forky: resolved (fixed in 4.4.1-8) sid: resolved (fixed i

CVE-2015-3214 [MEDIUM] CVE-2015-3214: linux - The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before... The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-3259 [MEDIUM] CVE-2015-3259: xen - Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through ... Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.6.0-1) sid: resolved (fixed in 4.6.0-1) trixie: resolved (fixed in 4.6.0-1)

CVE-2015-0268 [MEDIUM] CVE-2015-0268: xen - The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ... The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ARM hardware with general interrupt controller (GIC) version 2, allows local guest users to cause a denial of service (host crash) by writing an invalid value to the GICD.SGIR register. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-7971 [LOW] CVE-2015-7971: xen - Xen 3.2.x through 4.6.x does not limit the number of printk console messages whe... Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, whic