svn commit: r405322 - head/security/vuxml
Jason Unovitch
junovitch at FreeBSD.org
Wed Jan 6 00:49:41 UTC 2016
Author: junovitch
Date: Wed Jan 6 00:49:39 2016
New Revision: 405322
URL: https://svnweb.freebsd.org/changeset/ports/405322
Log:
Document Xen Security Advisories (XSAs 159, 160, 162, 165, 166)
PR: 205841
Security: CVE-2015-8555
Security: CVE-2015-8341
Security: CVE-2015-8339
Security: CVE-2015-8340
Security: https://vuxml.FreeBSD.org/freebsd/6aa2d135-b40e-11e5-9728-002590263bf5.html
Security: https://vuxml.FreeBSD.org/freebsd/e839ca04-b40d-11e5-9728-002590263bf5.html
Security: https://vuxml.FreeBSD.org/freebsd/5d1d4473-b40d-11e5-9728-002590263bf5.html
Security: https://vuxml.FreeBSD.org/freebsd/bcad3faa-b40c-11e5-9728-002590263bf5.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jan 5 23:29:49 2016 (r405321)
+++ head/security/vuxml/vuln.xml Wed Jan 6 00:49:39 2016 (r405322)
@@ -58,6 +58,161 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="6aa2d135-b40e-11e5-9728-002590263bf5">
+ <topic>xen-kernel -- ioreq handling possibly susceptible to multiple read issue</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.2_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-166.html">
+ <p>Single memory accesses in source code can be translated to multiple
+ ones in machine code by the compiler, requiring special caution when
+ accessing shared memory. Such precaution was missing from the
+ hypervisor code inspecting the state of I/O requests sent to the
+ device model for assistance.</p>
+ <p>Due to the offending field being a bitfield, it is however believed
+ that there is no issue in practice, since compilers, at least when
+ optimizing (which is always the case for non-debug builds), should find
+ it more expensive to extract the bit field value twice than to keep the
+ calculated value in a register.</p>
+ <p>This vulnerability is exposed to malicious device models. In
+ conventional Xen systems this means the qemu which service an HVM
+ domain. On such systems this vulnerability can only be exploited if
+ the attacker has gained control of the device model qemu via another
+ vulnerability.</p>
+ <p>Privilege escalation, host crash (Denial of Service), and leaked
+ information all cannot be excluded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <freebsdpr>ports/205841</freebsdpr>
+ <url>http://xenbits.xen.org/xsa/advisory-166.html</url>
+ </references>
+ <dates>
+ <discovery>2015-12-17</discovery>
+ <entry>2016-01-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e839ca04-b40d-11e5-9728-002590263bf5">
+ <topic>xen-kernel -- information leak in legacy x86 FPU/XMM initialization</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.2_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-165.html">
+ <p>When XSAVE/XRSTOR are not in use by Xen to manage guest extended
+ register state, the initial values in the FPU stack and XMM
+ registers seen by the guest upon first use are those left there by
+ the previous user of those registers.</p>
+ <p>A malicious domain may be able to leverage this to obtain sensitive
+ information such as cryptographic keys from another domain.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-8555</cvename>
+ <freebsdpr>ports/205841</freebsdpr>
+ <url>http://xenbits.xen.org/xsa/advisory-165.html</url>
+ </references>
+ <dates>
+ <discovery>2015-12-17</discovery>
+ <entry>2016-01-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5d1d4473-b40d-11e5-9728-002590263bf5">
+ <topic>xen-tools -- libxl leak of pv kernel and initrd on error</topic>
+ <affects>
+ <package>
+ <name>xen-tools</name>
+ <range><ge>4.1</ge><lt>4.5.2_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-160.html">
+ <p>When constructing a guest which is configured to use a PV
+ bootloader which runs as a userspace process in the toolstack domain
+ (e.g. pygrub) libxl creates a mapping of the files to be used as
+ kernel and initial ramdisk when building the guest domain.</p>
+ <p>However if building the domain subsequently fails these mappings
+ would not be released leading to a leak of virtual address space in
+ the calling process, as well as preventing the recovery of the
+ temporary disk files containing the kernel and initial ramdisk.</p>
+ <p>For toolstacks which manage multiple domains within the same
+ process, an attacker who is able to repeatedly start a suitable
+ domain (or many such domains) can cause an out-of-memory condition in the
+ toolstack process, leading to a denial of service.</p>
+ <p>Under the same circumstances an attacker can also cause files to
+ accumulate on the toolstack domain filesystem (usually under /var in
+ dom0) used to temporarily store the kernel and initial ramdisk,
+ perhaps leading to a denial of service against arbitrary other
+ services using that filesystem.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-8341</cvename>
+ <freebsdpr>ports/205841</freebsdpr>
+ <url>http://xenbits.xen.org/xsa/advisory-160.html</url>
+ </references>
+ <dates>
+ <discovery>2015-12-08</discovery>
+ <entry>2016-01-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="bcad3faa-b40c-11e5-9728-002590263bf5">
+ <topic>xen-kernel -- XENMEM_exchange error handling issues</topic>
+ <affects>
+ <package>
+ <name>xen-kernel</name>
+ <range><lt>4.5.2_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Xen Project reports:</p>
+ <blockquote cite="http://xenbits.xen.org/xsa/advisory-159.html">
+ <p>Error handling in the operation may involve handing back pages to
+ the domain. This operation may fail when in parallel the domain gets
+ torn down. So far this failure unconditionally resulted in the host
+ being brought down due to an internal error being assumed. This is
+ CVE-2015-8339.</p>
+ <p>Furthermore error handling so far wrongly included the release of a
+ lock. That lock, however, was either not acquired or already released
+ on all paths leading to the error handling sequence. This is
+ CVE-2015-8340.</p>
+ <p>A malicious guest administrator may be able to deny service by
+ crashing the host or causing a deadlock.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-8339</cvename>
+ <cvename>CVE-2015-8340</cvename>
+ <freebsdpr>ports/205841</freebsdpr>
+ <url>http://xenbits.xen.org/xsa/advisory-159.html</url>
+ </references>
+ <dates>
+ <discovery>2015-12-08</discovery>
+ <entry>2016-01-06</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b65e4914-b3bc-11e5-8255-5453ed2e2b49">
<topic>tiff -- out-of-bounds read in CIE Lab image format</topic>
<affects>
@@ -587,7 +742,7 @@ Notes:
</package>
<package>
<name>xen-tools</name>
- <range><le>4.5.2</le></range>
+ <range><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
@@ -631,7 +786,7 @@ Notes:
<dates>
<discovery>2015-11-30</discovery>
<entry>2016-01-03</entry>
- <modified>2016-01-03</modified>
+ <modified>2016-01-06</modified>
</dates>
</vuln>
More information about the svn-ports-all
mailing list