FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  514534
Date:      2019-10-15
Time:      14:43:01Z
Committer: kai

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
301b04d7-881c-11e5-ab94-002590263bf5xen-tools -- libxl fails to honour readonly flag on disks with qemu-xen

The Xen Project reports:

Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen (the upstream-based qemu); and indeed there is no way in qemu to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the device model, not the parallel PV devices for supporting PVHVM. Normally the PVHVM device unplug protocol renders the emulated devices inaccessible early in boot.

Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected.

Discovery 2015-09-22
Entry 2015-11-11
ge 4.1 lt 4.5.1_1

47873d72-14eb-11e7-970f-002590263bf5xen-tools -- xenstore denial of service via repeated update

The Xen Project reports:

Unprivileged guests may be able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host.

Discovery 2017-03-28
Entry 2017-03-30
lt 4.7.2_1
af19ecd0-0f6a-11e7-970f-002590263bf5xen-tools -- Cirrus VGA Heap overflow via display refresh

The Xen Project reports:

A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.

Discovery 2017-03-14
Entry 2017-03-23
lt 4.7.2

e800cd4b-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unrestricted qemu logging

The Xen Project reports:

When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.

The disk containing the logfile can be exhausted, possibly causing a denial-of-service (DoS).

Discovery 2016-05-23
Entry 2016-07-04
lt 4.7.0_2

5d1d4473-b40d-11e5-9728-002590263bf5xen-tools -- libxl leak of pv kernel and initrd on error

The Xen Project reports:

When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.

However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.

For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.

Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.

Discovery 2015-12-08
Entry 2016-01-06
ge 4.1 lt 4.5.2_1

a73aba9a-effe-11e6-ae1b-002590263bf5xen-tools -- oob access in cirrus bitblt copy

The Xen Project reports:

When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.

A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.

Discovery 2017-02-10
Entry 2017-02-11
lt 4.7.1_2

8cbd9c08-f8b9-11e6-ae1b-002590263bf5xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe

The Xen Project reports:

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check whether the specified memory region is safe. A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.

Discovery 2017-02-21
Entry 2017-02-22
lt 4.7.1_4

e589ae90-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unsanitised driver domain input in libxl device handling

The Xen Project reports:

libxl's device-handling code freely uses and trusts information from the backend directories in xenstore.

A malicious driver domain can deny service to management tools.

Discovery 2016-06-02
Entry 2016-07-04
lt 4.7.0_1

e6ce6f50-4212-11e6-942d-bc5ff45d0f28xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

The Xen Project reports:

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.

Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.

Discovery 2016-05-09
Entry 2016-07-04
lt 4.7.0_2

58685e23-ba4d-11e6-ae1b-002590263bf5xen-tools -- qemu incautious about shared ring processing

The Xen Project reports:

The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu.

Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host.

Discovery 2016-11-22
Entry 2016-12-04
lt 4.7.1

06574c62-5854-11e6-b334-002590263bf5xen-tools -- virtio: unbounded memory allocation issue

The Xen Project reports:

A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size...

A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host.

Discovery 2016-07-27
Entry 2016-08-02
lt 4.7.0_4

405446f4-b1b3-11e5-9728-002590263bf5qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.

The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.

A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.

Discovery 2015-11-30
Entry 2016-01-03
Modified 2016-01-06
lt 2.5.0

lt 2.5.50.g20151224

lt 4.5.2_1

e2fca11b-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unsanitised guest input in libxl device handling code

The Xen Project reports:

Various parts of libxl device-handling code inappropriately use information from (partially) guest controlled areas of xenstore.

A malicious guest administrator can cause denial of service by resource exhaustion.

A malicious guest administrator can confuse and/or deny service to management facilities.

A malicious guest administrator of a guest configured with channel devices may be able to escalate their privilege to that of the backend domain (i.e., normally, to that of the host).

Discovery 2016-06-02
Entry 2016-07-04
lt 4.7.0_1

c0e76d33-8821-11e5-ab94-002590263bf5xen-tools -- populate-on-demand balloon size inaccuracy can crash guests

The Xen Project reports:

Guests configured with PoD might be unstable, especially under load. In an affected guest, an unprivileged guest user might be able to cause a guest crash, perhaps simply by applying load so as to cause heavy memory pressure within the guest.

Discovery 2015-10-29
Entry 2015-11-11
ge 3.4 lt 4.5.1_2

59f79c99-ba4d-11e6-ae1b-002590263bf5xen-tools -- delimiter injection vulnerabilities in pygrub

The Xen Project reports:

pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.

A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be usable for privilege escalation.

Discovery 2016-11-22
Entry 2016-12-04
lt 4.7.1