FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  514783
Date:      2019-10-19
Time:      09:52:18Z
Committer: wen

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
f06f20dc-4347-11e5-93ad-002590263bf5qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model

The Xen Project reports:

The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialized memory from the QEMU process's heap being leaked to the domain as well as to the network.

A guest may be able to read sensitive host-level data relating to itself which resides in the QEMU process.

Such information may include things such as information relating to real devices backing emulated devices or passwords which the host administrator does not intend to share with the guest admin.


Discovery 2015-08-03
Entry 2015-08-17
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
lt 2.4.50.g20150814

xen-tools
lt 4.5.1

CVE-2015-5165
http://xenbits.xen.org/xsa/advisory-140.html
http://git.qemu.org/?p=qemu.git;a=commit;h=2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
acd5d037-1c33-11e5-be9c-6805ca1d3bb1qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)

The QEMU security team reports:

A guest which has access to an emulated PCNET network device (e.g. with "model=pcnet" in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.


Discovery 2015-04-10
Entry 2015-06-26
Modified 2015-07-11
qemu
qemu-devel
lt 0.11.1_20

ge 0.12 lt 2.3.0_2

qemu-sbruno
lt 2.3.50.g20150618_1

xen-tools
lt 4.5.0_6

http://xenbits.xen.org/xsa/advisory-135.html
CVE-2015-3209
405446f4-b1b3-11e5-9728-002590263bf5qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.

The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.

A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.


Discovery 2015-11-30
Entry 2016-01-03
Modified 2016-01-06
qemu
qemu-devel
lt 2.5.0

qemu-sbruno
qemu-user-static
lt 2.5.50.g20151224

xen-tools
lt 4.5.2_1

CVE-2015-7504
CVE-2015-7512
http://www.openwall.com/lists/oss-security/2015/11/30/2
http://www.openwall.com/lists/oss-security/2015/11/30/3
http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7
http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343
https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7
https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343
http://xenbits.xen.org/xsa/advisory-162.html
da451130-365d-11e5-a4a5-002590263bf5qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands

The Xen Project reports:

A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands.

A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.


Discovery 2015-07-27
Entry 2015-08-04
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
lt 2.4.50.g20150814

xen-tools
lt 4.5.0_9

CVE-2015-5154
http://xenbits.xen.org/xsa/advisory-138.html
http://git.qemu.org/?p=qemu.git;a=commit;h=e40db4c6d391419c0039fe274c74df32a6ca1a28
ee99899d-4347-11e5-93ad-002590263bf5qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol

The Xen Project reports:

When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.

An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.


Discovery 2015-08-03
Entry 2015-08-17
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
lt 2.4.50.g20150814

xen-tools
lt 4.5.1

CVE-2015-5166
http://xenbits.xen.org/xsa/advisory-139.html
http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52
e6ce6f50-4212-11e6-942d-bc5ff45d0f28xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

The Xen Project reports:

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.

Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.


Discovery 2016-05-09
Entry 2016-07-04
xen-tools
lt 4.7.0_2

CVE-2016-3710
CVE-2016-3712
http://xenbits.xen.org/xsa/advisory-179.html
a73aba9a-effe-11e6-ae1b-002590263bf5xen-tools -- oob access in cirrus bitblt copy

The Xen Project reports:

When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.

A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.


Discovery 2017-02-10
Entry 2017-02-11
xen-tools
lt 4.7.1_2

CVE-2017-2615
http://xenbits.xen.org/xsa/advisory-208.html
58685e23-ba4d-11e6-ae1b-002590263bf5xen-tools -- qemu incautious about shared ring processing

The Xen Project reports:

The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu.

Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host.


Discovery 2016-11-22
Entry 2016-12-04
xen-tools
lt 4.7.1

CVE-2016-9381
ports/214936
https://xenbits.xen.org/xsa/advisory-197.html
af19ecd0-0f6a-11e7-970f-002590263bf5xen-tools -- Cirrus VGA Heap overflow via display refresh

The Xen Project reports:

A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.


Discovery 2017-03-14
Entry 2017-03-23
xen-tools
lt 4.7.2

CVE-2016-9603
http://xenbits.xen.org/xsa/advisory-211.html
3d657340-27ea-11e5-a4a5-002590263bf5xen-tools -- Unmediated PCI register access in qemu

The Xen Project reports:

Qemu allows guests to not only read, but also write all parts of the PCI config space (but not extended config space) of passed through PCI devices not explicitly dealt with for (partial) emulation purposes.

Since the effect depends on the specific purpose of the the config space field, it's not possible to give a general statement about the exact impact on the host or other guests. Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded.


Discovery 2015-06-02
Entry 2015-07-11
xen-tools
ge 3.3 lt 4.5.0_6

CVE-2015-4106
http://xenbits.xen.org/xsa/advisory-131.html
e800cd4b-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unrestricted qemu logging

The Xen Project reports:

When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.

The disk containing the logfile can be exhausted, possibly causing a denial-of-service (DoS).


Discovery 2016-05-23
Entry 2016-07-04
xen-tools
lt 4.7.0_2

CVE-2014-3672
http://xenbits.xen.org/xsa/advisory-180.html
4db8a0f4-27e9-11e5-a4a5-002590263bf5xen-tools -- PCI MSI mask bits inadvertently exposed to guests

The Xen Project reports:

The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits.

Interrupts may be observed by Xen at unexpected times, which may lead to a host crash and therefore a Denial of Service.


Discovery 2015-06-02
Entry 2015-07-11
xen-tools
ge 3.3 lt 4.5.0_6

CVE-2015-4104
http://xenbits.xen.org/xsa/advisory-129.html
e589ae90-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unsanitised driver domain input in libxl device handling

The Xen Project reports:

libxl's device-handling code freely uses and trusts information from the backend directories in xenstore.

A malicious driver domain can deny service to management tools.


Discovery 2016-06-02
Entry 2016-07-04
xen-tools
lt 4.7.0_1

CVE-2016-4963
http://xenbits.xen.org/xsa/advisory-178.html
79f401cd-27e6-11e5-a4a5-002590263bf5xen-tools -- Unmediated PCI command register access in qemu

The Xen Project reports:

HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port ranges would - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific.

Furthermore (at least) devices under control of the Linux pciback driver in the host are handed to guests with the aforementioned bits turned off. This means that such accesses can similarly lead to Unsupported Request responses until these flags are set as needed by the guest.

In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service.


Discovery 2015-03-31
Entry 2015-07-11
xen-tools
ge 3.3 lt 4.5.0_6

CVE-2015-2756
http://xenbits.xen.org/xsa/advisory-126.html
0d732fd1-27e0-11e5-a4a5-002590263bf5xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends

The Xen Project reports:

When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration.

The libxl toolstack library does not explicitly disable these default backends when they are not enabled, leading to an unexpected backend running.

If either SDL or VNC is explicitly enabled in the guest configuration then only the expected backends will be enabled.

This affects qemu-xen and qemu-xen-traditional differently.

If qemu-xen was compiled with SDL support then this would result in an SDL window being opened if $DISPLAY is valid, or a failure to start the guest if not.

If qemu-xen was compiled without SDL support then qemu would instead start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC password will not be configured even if one is present in the guest configuration.

qemu-xen-traditional will never start a vnc backend unless explicitly configured. However by default it will start an SDL backend if it was built with SDL support and $DISPLAY is valid.


Discovery 2015-03-13
Entry 2015-07-11
xen-tools
lt 4.5.0_6

CVE-2015-2152
http://xenbits.xen.org/xsa/advisory-119.html
af38cfec-27e7-11e5-a4a5-002590263bf5xen-tools -- Potential unintended writes to host MSI message data field via qemu

The Xen Project reports:

Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field.

While generally the writes write back the values previously read, their value in config space may have got changed by the host between the qemu read and write. In such a case host side interrupt handling could become confused, possibly losing interrupts or allowing spurious interrupt injection into other guests.

Certain untrusted guest administrators may be able to confuse host side interrupt handling, leading to a Denial of Service.


Discovery 2015-06-02
Entry 2015-07-11
xen-tools
ge 3.3 lt 4.5.0_6

CVE-2015-4103
http://xenbits.xen.org/xsa/advisory-128.html
8cbd9c08-f8b9-11e6-ae1b-002590263bf5xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe

The Xen Project reports:

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check whether the specified memory region is safe. A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.


Discovery 2017-02-21
Entry 2017-02-22
xen-tools
lt 4.7.1_4

CVE-2017-2620
http://xenbits.xen.org/xsa/advisory-209.html
cbe1a0f9-27e9-11e5-a4a5-002590263bf5xen-tools -- Guest triggerable qemu MSI-X pass-through error messages

The Xen Project reports:

Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations.

A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial of Service.


Discovery 2015-06-02
Entry 2015-07-11
xen-tools
ge 3.3 lt 4.5.0_6

CVE-2015-4105
http://xenbits.xen.org/xsa/advisory-130.html
e2fca11b-4212-11e6-942d-bc5ff45d0f28xen-tools -- Unsanitised guest input in libxl device handling code

The Xen Project reports:

Various parts of libxl device-handling code inappropriately use information from (partially) guest controlled areas of xenstore.

A malicious guest administrator can cause denial of service by resource exhaustion.

A malicious guest administrator can confuse and/or deny service to management facilities.

A malicious guest administrator of a guest configured with channel devices may be able to escalate their privilege to that of the backend domain (i.e., normally, to that of the host).


Discovery 2016-06-02
Entry 2016-07-04
xen-tools
lt 4.7.0_1

CVE-2016-4962
http://xenbits.xen.org/xsa/advisory-175.html
d40c66cb-27e4-11e5-a4a5-002590263bf5xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible

The Xen Project reports:

The XEN_DOMCTL_memory_mapping hypercall allows long running operations without implementing preemption.

This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed to those guests.

This can cause a physical CPU to become busy for a significant period, leading to a host denial of service in some cases.

If a host denial of service is not triggered then it may instead be possible to deny service to the domain running the device model, e.g. domain 0.

This hypercall is also exposed more generally to all toolstacks. However the uses of it in libxl based toolstacks are not believed to open up any avenue of attack from an untrusted guest. Other toolstacks may be vulnerable however.

The vulnerability is exposed via HVM guests which have a PCI device assigned to them. A malicious HVM guest in such a configuration can mount a denial of service attack affecting the whole system via its associated device model (qemu-dm).

A guest is able to trigger this hypercall via operations which it is legitimately expected to perform, therefore running the device model as a stub domain does not offer protection against the host denial of service issue. However it does offer some protection against secondary issues such as denial of service against dom0.


Discovery 2015-03-31
Entry 2015-07-11
xen-kernel
lt 4.5.0_3

xen-tools
lt 4.5.0_6

CVE-2015-2752
http://xenbits.xen.org/xsa/advisory-125.html
59f79c99-ba4d-11e6-ae1b-002590263bf5xen-tools -- delimiter injection vulnerabilities in pygrub

The Xen Project reports:

pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.

A malicious guest administrator can obtain the contents of sensitive host files (an information leak). Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be usable for privilege escalation.


Discovery 2016-11-22
Entry 2016-12-04
xen-tools
lt 4.7.1

CVE-2016-9379
CVE-2016-9380
ports/214936
https://xenbits.xen.org/xsa/advisory-198.html
c0e76d33-8821-11e5-ab94-002590263bf5xen-tools -- populate-on-demand balloon size inaccuracy can crash guests

The Xen Project reports:

Guests configured with PoD might be unstable, especially under load. In an affected guest, an unprivileged guest user might be able to cause a guest crash, perhaps simply by applying load so as to cause heavy memory pressure within the guest.


Discovery 2015-10-29
Entry 2015-11-11
xen-tools
ge 3.4 lt 4.5.1_2

CVE-2015-7972
http://xenbits.xen.org/xsa/advisory-153.html
06574c62-5854-11e6-b334-002590263bf5xen-tools -- virtio: unbounded memory allocation issue

The Xen Project reports:

A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size...

A malicious guest administrator can cause unbounded memory allocation in QEMU, which can cause an Out-of-Memory condition in the domain running qemu. Thus, a malicious guest administrator can cause a denial of service affecting the whole host.


Discovery 2016-07-27
Entry 2016-08-02
xen-tools
lt 4.7.0_4

CVE-2016-5403
ports/211482
http://xenbits.xen.org/xsa/advisory-184.html
47873d72-14eb-11e7-970f-002590263bf5xen-tools -- xenstore denial of service via repeated update

The Xen Project reports:

Unprivileged guests may be able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host.


Discovery 2017-03-28
Entry 2017-03-30
xen-tools
lt 4.7.2_1

http://xenbits.xen.org/xsa/advisory-206.html