CVE-2015-7814
https://notcve.org/view.php?id=CVE-2015-7814
Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial management control to cause a denial of service (host crash) via vectors involving the destruction of a domain and using XENMEM_decrease_reservation to reduce the memory of the domain. Condición de carrera en la función relinquish_memory en arch/arm/domain.c en Xen 4.6.x y versiones anteriores permite a dominios locales con control parcial de la gestión provocar una denegación de servicio (caída del host) a través de vectores relacionados con la destrucción de un dominio y utilizando XENMEM_decrease_reservation para reducir la memoria del dominio. • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171082.html http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171185.html http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171249.html http://www.debian.org/security/2015/dsa-3414 http://www.securitytracker.com/id/1034030 http://xenbits.xen.org/xsa/advisory-147.html https://security.gentoo.org/glsa/201604-03 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2015-5166
https://notcve.org/view.php?id=CVE-2015-5166
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. Vulnerabilidad de uso después de liberación en la memoria en QEMU en Xen 4.5.x y versiones anteriores, no desconecta completamente los dispositivos de bloque emulados, lo que permite a usuarios invitados HVM locales obtener privilegios desconectando un dispositivo de bloque dos veces. • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html http://www.securityfocus.com/bid/76152 http://www.securitytracker.com/id/1033175 http://xenbits.xen.org/xsa/advisory-139.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-5165 – Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)
https://notcve.org/view.php?id=CVE-2015-5165
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. Vulnerabilidad en la emulación de modo offload C+ en el modelo de tarjeta de red del dispositivo RTL8139 en QEMU, tal y como se utiliza en Xen 4.5.x y versiones anteriores, permite a atacantes remotos leer la memoria dinámica del proceso a través de vectores no especificados. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html http://rhn.redhat.com/errata/RHSA-2015-1674.html http://rhn.redhat.com/errata/RHSA-2015-1683.html http: • CWE-456: Missing Initialization of a Variable CWE-908: Use of Uninitialized Resource •
CVE-2015-5154 – qemu: ide: atapi: heap overflow during I/O buffer memory access
https://notcve.org/view.php?id=CVE-2015-5154
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. Desbordamiento del buffer basado en memoria dinámica en el subsistema IDE en QEMU, usado en Xen 4.5.x y versiones anteriores, cuando el contenedor tiene una unidad CDROM habilitada, permite a usuarios invitados locales ejecutar código arbitrario en el host a través de comandos ATAPI no especificados. A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163472.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163658.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163681.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00017.html http://lists.opensuse.org/opensuse-security-annou • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-4164
https://notcve.org/view.php?id=CVE-2015-4164
The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set. La función compat_iret en Xen 3.1 hasta 4.5 itera en la dirección errónea a través de un bucle, lo que permite a administradores locales invitados de PV de 32 dits causar una denegación de servicio (bucle grande y cuelgue del sistema) a través de una llamada hypercall_iret con el juego EFLAGS.VM. • http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html http://support.citrix.com/article/CTX201145 http://www. • CWE-399: Resource Management Errors •