openSUSE: Security Advisory for qemu (openSUSE-SU-2016:2642-1)
2016-10-27T00:00:00
ID OPENVAS:1361412562310851423 Type openvas Reporter Copyright (C) 2016 Greenbone Networks GmbH Modified 2020-01-31T00:00:00
Description
The remote host is missing an update for the
# Copyright (C) 2016 Greenbone Networks GmbH
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (C) of their respective author(s)
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.851423");
script_version("2020-01-31T08:23:39+0000");
script_tag(name:"last_modification", value:"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)");
script_tag(name:"creation_date", value:"2016-10-27 05:40:10 +0200 (Thu, 27 Oct 2016)");
script_cve_id("CVE-2016-2391", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-4454",
"CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5126",
"CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338", "CVE-2016-5403",
"CVE-2016-6490", "CVE-2016-6833", "CVE-2016-6836", "CVE-2016-6888",
"CVE-2016-7116", "CVE-2016-7155", "CVE-2016-7156");
script_tag(name:"cvss_base", value:"4.9");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:N/I:N/A:C");
script_tag(name:"qod_type", value:"package");
script_name("openSUSE: Security Advisory for qemu (openSUSE-SU-2016:2642-1)");
script_tag(name:"summary", value:"The remote host is missing an update for the 'qemu'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"qemu was updated to fix 19 security issues.
These security issues were fixed:
- CVE-2016-2392: The is_rndis function in the USB Net device emulator
(hw/usb/dev-network.c) in QEMU did not properly validate USB
configuration descriptor objects, which allowed local guest OS
administrators to cause a denial of service (NULL pointer dereference
and QEMU process crash) via vectors involving a remote NDIS control
message packet (bsc#967012)
- CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation
support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS
administrators to cause a denial of service (NULL pointer dereference
and QEMU process crash) via vectors related to multiple eof_timers
(bsc#967013)
- CVE-2016-5106: The megasas_dcmd_set_properties function in
hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus
Adapter emulation support, allowed local guest administrators to cause a
denial of service (out-of-bounds write access) via vectors involving a
MegaRAID Firmware Interface (MFI) command (bsc#982018)
- CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c
in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation
support, used an uninitialized variable, which allowed local guest
administrators to read host memory via vectors involving a MegaRAID
Firmware Interface (MFI) command (bsc#982017)
- CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built
with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed
local guest OS administrators to cause a denial of service
(out-of-bounds read and crash) via unspecified vectors (bsc#982019)
- CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl
function in block/iscsi.c in QEMU allowed local guest OS users to cause
a denial of service (QEMU process crash) or possibly execute arbitrary
code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285)
- CVE-2016-4454: The vmsvga_fifo_read_raw function in
hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to
obtain sensitive host memory information or cause a denial of service
(QEMU process crash) by changing FIFO registers and issuing a VGA
command, which triggers an out-of-bounds read (bsc#982222)
- CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c
in QEMU allowed local guest OS administrators to cause a denial of
service (infinite loop and QEMU process crash) via a VGA command
(bsc#982223)
- CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in
hw/scsi/esp.c i ...
Description truncated, please see the referenced URL(s) for more information.");
script_tag(name:"affected", value:"qemu on openSUSE Leap 42.1");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_xref(name:"openSUSE-SU", value:"2016:2642-1");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_family("SuSE Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/suse", "ssh/login/rpms", re:"ssh/login/release=openSUSELeap42\.1");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "openSUSELeap42.1") {
if(!isnull(res = isrpmvuln(pkg:"qemu", rpm:"qemu~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-arm", rpm:"qemu-arm~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-arm-debuginfo", rpm:"qemu-arm-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-block-curl", rpm:"qemu-block-curl~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-block-curl-debuginfo", rpm:"qemu-block-curl-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-debugsource", rpm:"qemu-debugsource~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-extra", rpm:"qemu-extra~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-extra-debuginfo", rpm:"qemu-extra-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-guest-agent", rpm:"qemu-guest-agent~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-guest-agent-debuginfo", rpm:"qemu-guest-agent-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-kvm", rpm:"qemu-kvm~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-lang", rpm:"qemu-lang~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-linux-user", rpm:"qemu-linux-user~2.3.1~19.1", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-linux-user-debuginfo", rpm:"qemu-linux-user-debuginfo~2.3.1~19.1", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-linux-user-debugsource", rpm:"qemu-linux-user-debugsource~2.3.1~19.1", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-ppc", rpm:"qemu-ppc~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-ppc-debuginfo", rpm:"qemu-ppc-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-s390", rpm:"qemu-s390~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-s390-debuginfo", rpm:"qemu-s390-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-tools", rpm:"qemu-tools~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-tools-debuginfo", rpm:"qemu-tools-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-x86", rpm:"qemu-x86~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-x86-debuginfo", rpm:"qemu-x86-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-ipxe", rpm:"qemu-ipxe~1.0.0~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-seabios", rpm:"qemu-seabios~1.8.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-sgabios", rpm:"qemu-sgabios~8~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-vgabios", rpm:"qemu-vgabios~1.8.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-block-rbd", rpm:"qemu-block-rbd~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-block-rbd-debuginfo", rpm:"qemu-block-rbd-debuginfo~2.3.1~19.3", rls:"openSUSELeap42.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"qemu-testsuite", rpm:"qemu-testsuite~2.3.1~19.6", rls:"openSUSELeap42.1"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
{"id": "OPENVAS:1361412562310851423", "type": "openvas", "bulletinFamily": "scanner", "title": "openSUSE: Security Advisory for qemu (openSUSE-SU-2016:2642-1)", "description": "The remote host is missing an update for the ", "published": "2016-10-27T00:00:00", "modified": "2020-01-31T00:00:00", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851423", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["2016:2642-1"], "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "lastseen": "2020-03-14T18:58:20", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "suse", "idList": ["SUSE-SU-2016:2533-1", "SUSE-SU-2016:2093-1", "SUSE-SU-2016:2589-1", "OPENSUSE-SU-2016:2494-1", "OPENSUSE-SU-2016:2642-1", "OPENSUSE-SU-2016:2497-1", "SUSE-SU-2016:2100-1", "SUSE-SU-2016:2473-1"]}, {"type": "nessus", "idList": ["SUSE_SU-2016-2628-1.NASL", "FEDORA_2016-A80EAB65BA.NASL", "GENTOO_GLSA-201609-01.NASL", "UBUNTU_USN-3047-1.NASL", "FEDORA_2016-EA3002B577.NASL", "SUSE_SU-2016-2781-1.NASL", "UBUNTU_USN-3047-2.NASL", "FEDORA_2016-73853A7A16.NASL", "SUSE_SU-2016-2589-1.NASL", "OPENSUSE-2016-1234.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842845", "OPENVAS:1361412562310808440", "OPENVAS:1361412562310808569", "OPENVAS:1361412562310808485", "OPENVAS:1361412562310871651", "OPENVAS:1361412562310882541", "OPENVAS:1361412562310891599", "OPENVAS:1361412562310851408", "OPENVAS:1361412562310808561", "OPENVAS:1361412562310842861"]}, {"type": "fedora", "idList": ["FEDORA:92233616B82A", "FEDORA:B465E606E495", "FEDORA:5E2526074A66", "FEDORA:5659A6058507", "FEDORA:49D0F60CE3C2", "FEDORA:61A4360802D0", "FEDORA:024136074A54", "FEDORA:AD4AA60ABD9A", "FEDORA:202BC60D2E7A", "FEDORA:937A36079255"]}, {"type": "ubuntu", "idList": ["USN-3047-2", "USN-3047-1"]}, {"type": "gentoo", "idList": ["GLSA-201609-01"]}, {"type": "cve", "idList": ["CVE-2016-7156", "CVE-2016-6490", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5106", "CVE-2016-5403", "CVE-2016-6888", "CVE-2016-7155", "CVE-2016-5126", "CVE-2016-5105"]}, {"type": "redhat", "idList": ["RHSA-2016:1653", "RHSA-2016:1655", "RHSA-2016:1763", "RHSA-2016:1654", "RHSA-2016:1756", "RHSA-2016:1607", "RHSA-2016:1606"]}, {"type": "centos", "idList": ["CESA-2016:1606"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1599-1:F7408"]}, {"type": "archlinux", "idList": ["ASA-201606-8", "ASA-201606-9"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-1606"]}], "modified": "2020-03-14T18:58:20", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2020-03-14T18:58:20", "rev": 2}, "vulnersScore": 6.7}, "pluginID": "1361412562310851423", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851423\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-27 05:40:10 +0200 (Thu, 27 Oct 2016)\");\n script_cve_id(\"CVE-2016-2391\", \"CVE-2016-2392\", \"CVE-2016-4453\", \"CVE-2016-4454\",\n \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\",\n \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\",\n \"CVE-2016-6490\", \"CVE-2016-6833\", \"CVE-2016-6836\", \"CVE-2016-6888\",\n \"CVE-2016-7116\", \"CVE-2016-7155\", \"CVE-2016-7156\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for qemu (openSUSE-SU-2016:2642-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"qemu was updated to fix 19 security issues.\n\n These security issues were fixed:\n\n - CVE-2016-2392: The is_rndis function in the USB Net device emulator\n (hw/usb/dev-network.c) in QEMU did not properly validate USB\n configuration descriptor objects, which allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors involving a remote NDIS control\n message packet (bsc#967012)\n\n - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation\n support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors related to multiple eof_timers\n (bsc#967013)\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest administrators to cause a\n denial of service (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c\n in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support, used an uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving a MegaRAID\n Firmware Interface (MFI) command (bsc#982017)\n\n - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built\n with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors (bsc#982019)\n\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function in block/iscsi.c in QEMU allowed local guest OS users to cause\n a denial of service (QEMU process crash) or possibly execute arbitrary\n code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285)\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to\n obtain sensitive host memory information or cause a denial of service\n (QEMU process crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read (bsc#982222)\n\n - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c\n in QEMU allowed local guest OS administrators to cause a denial of\n service (infinite loop and QEMU process crash) via a VGA command\n (bsc#982223)\n\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in\n hw/scsi/esp.c i ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"qemu on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:2642-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-arm\", rpm:\"qemu-arm~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-arm-debuginfo\", rpm:\"qemu-arm-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-block-curl\", rpm:\"qemu-block-curl~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-block-curl-debuginfo\", rpm:\"qemu-block-curl-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-debugsource\", rpm:\"qemu-debugsource~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-extra\", rpm:\"qemu-extra~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-extra-debuginfo\", rpm:\"qemu-extra-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-guest-agent\", rpm:\"qemu-guest-agent~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-guest-agent-debuginfo\", rpm:\"qemu-guest-agent-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-lang\", rpm:\"qemu-lang~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-linux-user\", rpm:\"qemu-linux-user~2.3.1~19.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-linux-user-debuginfo\", rpm:\"qemu-linux-user-debuginfo~2.3.1~19.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-linux-user-debugsource\", rpm:\"qemu-linux-user-debugsource~2.3.1~19.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-ppc\", rpm:\"qemu-ppc~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-ppc-debuginfo\", rpm:\"qemu-ppc-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-s390\", rpm:\"qemu-s390~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-s390-debuginfo\", rpm:\"qemu-s390-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-tools\", rpm:\"qemu-tools~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-tools-debuginfo\", rpm:\"qemu-tools-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-x86\", rpm:\"qemu-x86~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-x86-debuginfo\", rpm:\"qemu-x86-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-ipxe\", rpm:\"qemu-ipxe~1.0.0~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-seabios\", rpm:\"qemu-seabios~1.8.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-sgabios\", rpm:\"qemu-sgabios~8~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-vgabios\", rpm:\"qemu-vgabios~1.8.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-block-rbd\", rpm:\"qemu-block-rbd~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-block-rbd-debuginfo\", rpm:\"qemu-block-rbd-debuginfo~2.3.1~19.3\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-testsuite\", rpm:\"qemu-testsuite~2.3.1~19.6\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "SuSE Local Security Checks"}
{"suse": [{"lastseen": "2016-10-21T17:27:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "edition": 1, "description": "qemu was updated to fix 19 security issues.\n\n These security issues were fixed:\n - CVE-2016-2392: The is_rndis function in the USB Net device emulator\n (hw/usb/dev-network.c) in QEMU did not properly validate USB\n configuration descriptor objects, which allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors involving a remote NDIS control\n message packet (bsc#967012)\n - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation\n support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors related to multiple eof_timers\n (bsc#967013)\n - CVE-2016-5106: The megasas_dcmd_set_properties function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest administrators to cause a\n denial of service (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c\n in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support, used an uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving a MegaRAID\n Firmware Interface (MFI) command (bsc#982017)\n - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built\n with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors (bsc#982019)\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function in block/iscsi.c in QEMU allowed local guest OS users to cause\n a denial of service (QEMU process crash) or possibly execute arbitrary\n code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285)\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to\n obtain sensitive host memory information or cause a denial of service\n (QEMU process crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read (bsc#982222)\n - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c\n in QEMU allowed local guest OS administrators to cause a denial of\n service (infinite loop and QEMU process crash) via a VGA command\n (bsc#982223)\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in\n hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a\n denial of service (QEMU process crash) or execute arbitrary code on the\n QEMU host via vectors related to the information transfer buffer\n (bsc#983982)\n - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c\n in QEMU allowed local guest OS administrators to obtain sensitive host\n memory information via vectors related to reading device control\n information (bsc#983961)\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode (bsc#982959)\n - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU\n allowed local guest OS administrators to cause a denial of service\n (memory consumption and QEMU process crash) by submitting requests\n without waiting for completion (bsc#991080)\n - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user\n inside the guest could have used this flaw to crash the Qemu instance on\n the host resulting in DoS (bsc#991466)\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. A privileged user inside guest could have used this flaw\n to crash the Qemu instance resulting in DoS (bsc#994771)\n - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device\n support. A privileged user inside guest could have used this issue to\n crash the Qemu instance resulting in DoS (bsc#994774)\n - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was\n vulnerable to a directory/path traversal issue. A privileged user inside\n guest could have used this flaw to access undue files on the host\n (bsc#996441)\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information\n leakage. A privileged user inside guest could have used this to leak\n host memory bytes to a guest (bsc#994760)\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access\n and/or infinite loop issue could have allowed a privileged user inside\n guest to crash the Qemu process resulting in DoS (bsc#997858)\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop\n issue could have allowed a privileged user inside guest to crash the\n Qemu process resulting in DoS (bsc#997859)\n\n This non-security issue was fixed:\n - bsc#1000048: Fix migration failure where target host is a soon to be\n released SLES 12 SP2. Qemu's spice code gets an assertion.\n\n", "modified": "2016-10-21T19:08:51", "published": "2016-10-21T19:08:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00037.html", "id": "SUSE-SU-2016:2589-1", "type": "suse", "title": "Security update for qemu (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-26T13:27:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "edition": 1, "description": "qemu was updated to fix 19 security issues.\n\n These security issues were fixed:\n - CVE-2016-2392: The is_rndis function in the USB Net device emulator\n (hw/usb/dev-network.c) in QEMU did not properly validate USB\n configuration descriptor objects, which allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors involving a remote NDIS control\n message packet (bsc#967012)\n - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation\n support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS\n administrators to cause a denial of service (NULL pointer dereference\n and QEMU process crash) via vectors related to multiple eof_timers\n (bsc#967013)\n - CVE-2016-5106: The megasas_dcmd_set_properties function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest administrators to cause a\n denial of service (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c\n in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support, used an uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving a MegaRAID\n Firmware Interface (MFI) command (bsc#982017)\n - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built\n with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors (bsc#982019)\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function in block/iscsi.c in QEMU allowed local guest OS users to cause\n a denial of service (QEMU process crash) or possibly execute arbitrary\n code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285)\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to\n obtain sensitive host memory information or cause a denial of service\n (QEMU process crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read (bsc#982222)\n - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c\n in QEMU allowed local guest OS administrators to cause a denial of\n service (infinite loop and QEMU process crash) via a VGA command\n (bsc#982223)\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in\n hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a\n denial of service (QEMU process crash) or execute arbitrary code on the\n QEMU host via vectors related to the information transfer buffer\n (bsc#983982)\n - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c\n in QEMU allowed local guest OS administrators to obtain sensitive host\n memory information via vectors related to reading device control\n information (bsc#983961)\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode (bsc#982959)\n - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU\n allowed local guest OS administrators to cause a denial of service\n (memory consumption and QEMU process crash) by submitting requests\n without waiting for completion (bsc#991080)\n - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user\n inside the guest could have used this flaw to crash the Qemu instance on\n the host resulting in DoS (bsc#991466)\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. A privileged user inside guest could have used this flaw\n to crash the Qemu instance resulting in DoS (bsc#994771)\n - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device\n support. A privileged user inside guest could have used this issue to\n crash the Qemu instance resulting in DoS (bsc#994774)\n - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was\n vulnerable to a directory/path traversal issue. A privileged user inside\n guest could have used this flaw to access undue files on the host\n (bsc#996441)\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information\n leakage. A privileged user inside guest could have used this to leak\n host memory bytes to a guest (bsc#994760)\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access\n and/or infinite loop issue could have allowed a privileged user inside\n guest to crash the Qemu process resulting in DoS (bsc#997858)\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop\n issue could have allowed a privileged user inside guest to crash the\n Qemu process resulting in DoS (bsc#997859)\n\n This non-security issue was fixed:\n - bsc#1000048: Fix migration failure where target host is a soon to be\n released SLES 12 SP2. Qemu's spice code gets an assertion.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-10-26T14:11:23", "published": "2016-10-26T14:11:23", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00060.html", "id": "OPENSUSE-SU-2016:2642-1", "type": "suse", "title": "Security update for qemu (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:21:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4963", "CVE-2016-3960", "CVE-2016-4962", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-6258", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-3159"], "description": "This update for xen fixes the several issues.\n\n These security issues were fixed:\n - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local\n guest OS users to cause a denial of service (host disk consumption) by\n writing to stdout or stderr (bsc#981264).\n - CVE-2016-3158: The xrstor function did not properly handle writes to the\n hardware FSW.ES bit when running on AMD64 processors, which allowed\n local guest OS users to obtain sensitive register content information\n from another guest by leveraging pending exception and mask bits\n (bsc#973188).\n - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not\n properly handle writes to the hardware FSW.ES bit when running on AMD64\n processors, which allowed local guest OS users to obtain sensitive\n register content information from another guest by leveraging pending\n exception and mask bits (bsc#973188).\n - CVE-2016-3710: The VGA module improperly performed bounds checking on\n banked access to video memory, which allowed local guest OS\n administrators to execute arbitrary code on the host by changing access\n modes after setting the bank register, aka the "Dark Portal" issue\n (bsc#978164).\n - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed\n local guest OS users to cause a denial of service (host crash) or\n possibly gain privileges by shadowing a superpage mapping (bsc#974038).\n - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function,\n when the Stellaris ethernet controller is configured to accept large\n packets, allowed remote attackers to cause a denial of service (QEMU\n crash) via a large packet (bsc#975130).\n - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the\n guest NIC is configured to accept large packets, allowed remote\n attackers to cause a denial of service (memory corruption and QEMU\n crash) or possibly execute arbitrary code via a packet larger than 1514\n bytes (bsc#975138).\n - CVE-2016-4020: The patch_instruction function did not initialize the\n imm32 variable, which allowed local guest OS administrators to obtain\n sensitive information from host stack memory by accessing the Task\n Priority Register (TPR) (bsc#975907).\n - CVE-2016-4037: The ehci_advance_state function in hw/usb/hcd-ehci.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via a circular split isochronous\n transfer descriptor (siTD) list (bsc#976111).\n - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI\n Controller (FSC) support did not properly check command buffer length,\n which allowed local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) or potentially execute\n arbitrary code on the host via unspecified vectors (bsc#980716).\n - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller\n (FSC) support did not properly check DMA length, which allowed local\n guest OS administrators to cause a denial of service (out-of-bounds\n write and QEMU process crash) via unspecified vectors, involving an SCSI\n command (bsc#980724).\n - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS\n administrators to cause a denial of service (infinite loop and QEMU\n process crash) via a VGA command (bsc#982225).\n - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS\n administrators to obtain sensitive host memory information or cause a\n denial of service (QEMU process crash) by changing FIFO registers and\n issuing a VGA command, which triggered an out-of-bounds read\n (bsc#982224).\n - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data\n routines (bsc#981276).\n - CVE-2016-4962: The libxl device-handling allowed local OS guest\n administrators to cause a denial of service (resource consumption or\n management facility confusion) or gain host OS privileges by\n manipulating information in guest controlled areas of xenstore\n (bsc#979620).\n - CVE-2016-4963: The libxl device-handling allowed local guest OS users\n with access to the driver domain to cause a denial of service\n (management tool confusion) by manipulating information in the backend\n directories in xenstore (bsc#979670).\n - CVE-2016-5105: Stack information leakage while reading configuration\n (bsc#982024).\n - CVE-2016-5106: Out-of-bounds write while setting controller properties\n (bsc#982025).\n - CVE-2016-5107: Out-of-bounds read in megasas_lookup_frame() function\n (bsc#982026).\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function allowed local guest OS users to cause a denial of service (QEMU\n process crash) or possibly execute arbitrary code via a crafted iSCSI\n asynchronous I/O ioctl call (bsc#982286).\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode\n (bsc#982960).\n - CVE-2016-5337: The megasas_ctrl_get_info function allowed local guest OS\n administrators to obtain sensitive host memory information via vectors\n related to reading device control information (bsc#983973).\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions\n allowed local guest OS administrators to cause a denial of service (QEMU\n process crash) or execute arbitrary code on the host via vectors related\n to the information transfer buffer (bsc#983984).\n - CVE-2016-6258: Potential privilege escalation in PV guests (XSA-182)\n (bsc#988675).\n - bsc#978295: x86 software guest page walk PS bit handling flaw (XSA-176)\n - CVE-2016-5403: virtio: unbounded memory allocation on host via guest\n leading to DoS (XSA-184) (bsc#990923)\n - CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma (bsc#990843)\n\n These non-security issues were fixed:\n - bsc#954872: Script block-dmmd not working as expected - libxl: error:\n libxl_dm.c\n - bsc#957986: Indirect descriptors are not compatible with Amazon block\n backend\n - bsc#958848: HVM guest crash at\n /usr/src/packages/BUILD/xen-4.4.2-testing/obj/default/balloon/balloon.c:407\n\n - bsc#961600: Poor performance when Xen HVM domU configured with max\n memory greater than current memory\n - bsc#963161: Windows VM getting stuck during load while a VF is assigned\n to it after upgrading to latest maintenance updates\n - bsc#964427: Discarding device blocks: failed - Input/output error\n - bsc#976058: Xen error running simple HVM guest (Post Alpha 2 xen+qemu)\n - bsc#982695: qemu fails to boot HVM guest from xvda\n - bsc#986586: Out of memory (oom) during boot on "modprobe xenblk" (non\n xen kernel)\n - bsc#967630: Discrepancy in reported memory size with correction XSA-153\n for xend. Additional memory adjustment made.\n - bsc#974912: Persistent performance drop after live-migration using xend\n tool stack\n - bsc#979035: Restore xm migrate fixes for bsc#955399/ bsc#955399\n - bsc#989235: xen dom0 xm create command only searched /etc/xen instead of\n /etc/xen/vm\n - Live Migration SLES 11 SP3 to SP4 on AMD: "xc: error: Couldn't set\n extended vcpu0 info"\n - bsc#985503: Fixed vif-route\n - bsc#978413: PV guest upgrade from SLES11 SP4 to SLES 12 SP2 alpha3 failed\n\n", "edition": 1, "modified": "2016-08-18T18:09:54", "published": "2016-08-18T18:09:54", "id": "SUSE-SU-2016:2100-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00043.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:29:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4963", "CVE-2016-6259", "CVE-2016-3960", "CVE-2016-4962", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-6258", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-3159"], "description": "This update for xen to version 4.5.3 fixes the several issues.\n\n These security issues were fixed:\n\n - CVE-2016-6258: Potential privilege escalation in PV guests (XSA-182)\n (bsc#988675).\n - CVE-2016-6259: Missing SMAP whitelisting in 32-bit exception / event\n delivery (XSA-183) (bsc#988676).\n - CVE-2016-5337: The megasas_ctrl_get_info function allowed local guest OS\n administrators to obtain sensitive host memory information via vectors\n related to reading device control information (bsc#983973).\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions\n allowed local guest OS administrators to cause a denial of service (QEMU\n process crash) or execute arbitrary code on the host via vectors related\n to the information transfer buffer (bsc#983984).\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode\n (bsc#982960).\n - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS\n administrators to cause a denial of service (infinite loop and QEMU\n process crash) via a VGA command (bsc#982225).\n - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS\n administrators to obtain sensitive host memory information or cause a\n denial of service (QEMU process crash) by changing FIFO registers and\n issuing a VGA command, which triggered an out-of-bounds read\n (bsc#982224).\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function allowed local guest OS users to cause a denial of service (QEMU\n process crash) or possibly execute arbitrary code via a crafted iSCSI\n asynchronous I/O ioctl call (bsc#982286).\n - CVE-2016-5105: Stack information leakage while reading configuration\n (bsc#982024).\n - CVE-2016-5106: Out-of-bounds write while setting controller properties\n (bsc#982025).\n - CVE-2016-5107: Out-of-bounds read in megasas_lookup_frame() function\n (bsc#982026).\n - CVE-2016-4963: The libxl device-handling allowed local guest OS users\n with access to the driver domain to cause a denial of service\n (management tool confusion) by manipulating information in the backend\n directories in xenstore (bsc#979670).\n - CVE-2016-4962: The libxl device-handling allowed local OS guest\n administrators to cause a denial of service (resource consumption or\n management facility confusion) or gain host OS privileges by\n manipulating information in guest controlled areas of xenstore\n (bsc#979620).\n - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data\n routines (bsc#981276).\n - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local\n guest OS users to cause a denial of service (host disk consumption) by\n writing to stdout or stderr (bsc#981264).\n - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller\n (FSC) support did not properly check DMA length, which allowed local\n guest OS administrators to cause a denial of service (out-of-bounds\n write and QEMU process crash) via unspecified vectors, involving an SCSI\n command (bsc#980724).\n - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI\n Controller (FSC) support did not properly check command buffer length,\n which allowed local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) or potentially execute\n arbitrary code on the host via unspecified vectors (bsc#980716).\n - CVE-2016-3710: The VGA module improperly performed bounds checking on\n banked access to video memory, which allowed local guest OS\n administrators to execute arbitrary code on the host by changing access\n modes after setting the bank register, aka the "Dark Portal" issue\n (bsc#978164).\n - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed\n local guest OS users to cause a denial of service (host crash) or\n possibly gain privileges by shadowing a superpage mapping (bsc#974038).\n - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not\n properly handle writes to the hardware FSW.ES bit when running on AMD64\n processors, which allowed local guest OS users to obtain sensitive\n register content information from another guest by leveraging pending\n exception and mask bits (bsc#973188).\n - CVE-2016-3158: The xrstor function did not properly handle writes to the\n hardware FSW.ES bit when running on AMD64 processors, which allowed\n local guest OS users to obtain sensitive register content information\n from another guest by leveraging pending exception and mask bits\n (bsc#973188).\n - CVE-2016-4037: The ehci_advance_state function in hw/usb/hcd-ehci.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via a circular split isochronous\n transfer descriptor (siTD) list (bsc#976111).\n - CVE-2016-4020: The patch_instruction function did not initialize the\n imm32 variable, which allowed local guest OS administrators to obtain\n sensitive information from host stack memory by accessing the Task\n Priority Register (TPR) (bsc#975907).\n - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function,\n when the Stellaris ethernet controller is configured to accept large\n packets, allowed remote attackers to cause a denial of service (QEMU\n crash) via a large packet (bsc#975130).\n - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the\n guest NIC is configured to accept large packets, allowed remote\n attackers to cause a denial of service (memory corruption and QEMU\n crash) or possibly execute arbitrary code via a packet larger than 1514\n bytes (bsc#975138).\n - bsc#978295: x86 software guest page walk PS bit handling flaw (XSA-176)\n - CVE-2016-5403: virtio: unbounded memory allocation on host via guest\n leading to DoS (XSA-184) (bsc#990923)\n - CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma (bsc#990843)\n\n These non-security issues were fixed:\n\n - bsc#986586: Out of memory (oom) during boot on "modprobe xenblk" (non\n xen kernel)\n - bsc#900418: Dump cannot be performed on SLES12 XEN\n - bsc#953339: Implement SUSE specific unplug protocol for emulated PCI\n devices in PVonHVM guests to qemu-xen-upstream\n - bsc#953362: Implement SUSE specific unplug protocol for emulated PCI\n devices in PVonHVM guests to qemu-xen-upstream\n - bsc#953518: Implement SUSE specific unplug protocol for emulated PCI\n devices in PVonHVM guests to qemu-xen-upstream\n - bsc#984981: Implement SUSE specific unplug protocol for emulated PCI\n devices in PVonHVM guests to qemu-xen-upstream\n - bsc#954872: Script block-dmmd not working as expected - libxl: error:\n libxl_dm.c (Additional fixes)\n - bsc#982695: qemu fails to boot HVM guest from xvda\n - bsc#958848: HVM guest crash at\n /usr/src/packages/BUILD/xen-4.4.2-testing/obj/default/balloon/balloon.c:407\n\n - bsc#949889: Fail to install 32-bit paravirt VM under SLES12SP1Beta3 XEN\n - bsc#954872: Script block-dmmd not working as expected - libxl: error:\n libxl_dm.c (another modification)\n - bsc#961600: Poor performance when Xen HVM domU configured with max\n memory greater than current memory\n - bsc#963161: Windows VM getting stuck during load while a VF is assigned\n to it after upgrading to latest maintenance updates\n - bsc#976058: Xen error running simple HVM guest (Post Alpha 2 xen+qemu)\n - bsc#973631: AWS EC2 kdump issue\n - bsc#957986: Indirect descriptors are not compatible with Amazon block\n backend\n - bsc#964427: Discarding device blocks: failed - Input/output error\n - bsc#985503: Fixed vif-route\n - bsc#978413: PV guest upgrade from SLES11 SP4 to SLES 12 SP2 alpha3 failed\n\n", "edition": 1, "modified": "2016-08-17T18:08:50", "published": "2016-08-17T18:08:50", "id": "SUSE-SU-2016:2093-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00041.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-11T17:26:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-3712", "CVE-2016-6834", "CVE-2016-6835", "CVE-2016-4963", "CVE-2016-3960", "CVE-2016-7092", "CVE-2016-4962", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-7093", "CVE-2016-4480", "CVE-2016-6258", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-7154", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-7094", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-6833", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2014-3615", "CVE-2016-3159", "CVE-2016-6888", "CVE-2016-6836"], "edition": 1, "description": "This update for xen fixes the following issues:\n\n These security issues were fixed:\n - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen\n allowed local 32-bit PV guest OS administrators to gain host OS\n privileges via vectors related to L3 recursive pagetables (bsc#995785)\n - CVE-2016-7093: Xen allowed local HVM guest OS administrators to\n overwrite hypervisor memory and consequently gain host OS privileges by\n leveraging mishandling of instruction pointer truncation during\n emulation (bsc#995789)\n - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS\n administrators on guests running with shadow paging to cause a denial of\n service via a pagetable update (bsc#995792)\n - CVE-2016-7154: Use-after-free vulnerability in the FIFO event channel\n code in Xen allowed local guest OS administrators to cause a denial of\n service (host crash) and possibly execute arbitrary code or obtain\n sensitive information via an invalid guest frame number (bsc#997731)\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information\n leakage. A privileged user inside guest could have used this to leak\n host memory bytes to a guest (boo#994761)\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. A privileged user inside guest could have used this flaw\n to crash the Qemu instance resulting in DoS (bsc#994772)\n - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device\n support. A privileged user inside guest could have used this issue to\n crash the Qemu instance resulting in DoS (boo#994775)\n - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support,\n causing an OOB read access (bsc#994625)\n - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE\n VMXNET3 NIC device support allowed privileged user inside guest to crash\n the Qemu instance resulting in DoS (bsc#994421)\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU\n allowed local guest OS administrators to cause a denial of service\n (memory consumption and QEMU process crash) by submitting requests\n without waiting for completion (boo#990923)\n - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with\n ESP/NCR53C9x controller emulation support, allowed local guest OS\n administrators to cause a denial of service (out-of-bounds write and\n QEMU process crash) or execute arbitrary code on the host via vectors\n involving DMA read into ESP command buffer (bsc#990843)\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c\n in QEMU allowed local guest OS administrators to obtain sensitive host\n memory information via vectors related to reading device control\n information (bsc#983973)\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in\n hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a\n denial of service (QEMU process crash) or execute arbitrary code on the\n QEMU host via vectors related to the information transfer buffer\n (bsc#983984)\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode (bsc#982960)\n - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c\n in QEMU allowed local guest OS administrators to cause a denial of\n service (infinite loop and QEMU process crash) via a VGA command\n (bsc#982225)\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to\n obtain sensitive host memory information or cause a denial of service\n (QEMU process crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read (bsc#982224)\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function in block/iscsi.c in QEMU allowed local guest OS users to cause\n a denial of service (QEMU process crash) or possibly execute arbitrary\n code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982286)\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c\n in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support, used an uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving a MegaRAID\n Firmware Interface (MFI) command (bsc#982024)\n - CVE-2016-5106: The megasas_dcmd_set_properties function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest administrators to cause a\n denial of service (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982025)\n - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built\n with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors (bsc#982026)\n - CVE-2016-4963: The libxl device-handling allowed local guest OS users\n with access to the driver domain to cause a denial of service\n (management tool confusion) by manipulating information in the backend\n directories in xenstore (bsc#979670)\n - CVE-2016-4962: The libxl device-handling allowed local OS guest\n administrators to cause a denial of service (resource consumption or\n management facility confusion) or gain host OS privileges by\n manipulating information in guest controlled areas of xenstore\n (bsc#979620)\n - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data\n routines (bsc#981276)\n - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local\n guest OS users to cause a denial of service (host disk consumption) by\n writing to stdout or stderr (bsc#981264)\n - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller\n (FSC) support did not properly check DMA length, which allowed local\n guest OS administrators to cause a denial of service (out-of-bounds\n write and QEMU process crash) via unspecified vectors, involving an SCSI\n command (bsc#980724)\n - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI\n Controller (FSC) support did not properly check command buffer length,\n which allowed local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) or potentially execute\n arbitrary code on the host via unspecified vectors (bsc#980716)\n - CVE-2016-3710: The VGA module improperly performed bounds checking on\n banked access to video memory, which allowed local guest OS\n administrators to execute arbitrary code on the host by changing access\n modes after setting the bank register, aka the "Dark Portal" issue\n (bsc#978164)\n - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed\n local guest OS users to cause a denial of service (host crash) or\n possibly gain privileges by shadowing a superpage mapping (bsc#974038)\n - CVE-2016-4037: The ehci_advance_state function in hw/usb/hcd-ehci.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via a circular split isochronous\n transfer descriptor (siTD) list (bsc#976111)\n - CVE-2016-4020: The patch_instruction function did not initialize the\n imm32 variable, which allowed local guest OS administrators to obtain\n sensitive information from host stack memory by accessing the Task\n Priority Register (TPR) (bsc#975907)\n - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function,\n when the Stellaris ethernet controller is configured to accept large\n packets, allowed remote attackers to cause a denial of service (QEMU\n crash) via a large packet (bsc#975130)\n - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the\n guest NIC is configured to accept large packets, allowed remote\n attackers to cause a denial of service (memory corruption and QEMU\n crash) or possibly execute arbitrary code via a packet larger than 1514\n bytes (bsc#975138)\n - CVE-2016-3158: The xrstor function did not properly handle writes to the\n hardware FSW.ES bit when running on AMD64 processors, which allowed\n local guest OS users to obtain sensitive register content information\n from another guest by leveraging pending exception and mask bits\n (bsc#973188)\n - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not\n properly handle writes to the hardware FSW.ES bit when running on AMD64\n processors, which allowed local guest OS users to obtain sensitive\n register content information from another guest by leveraging pending\n exception and mask bits (bsc#973188)\n - CVE-2016-4480: The guest_walk_tables function in\n arch/x86/mm/guest_walk.c in Xen did not properly handle the Page Size\n (PS) page table entry bit at the L4 and L3 page table levels, which\n might have allowed local guest OS users to gain privileges via a crafted\n mapping of memory (bsc#978295)\n\n These non-security issues were fixed:\n - boo#991934: xen hypervisor crash in csched_acct\n - boo#992224: [HPS Bug] During boot of Xen Hypervisor, Failed to get\n contiguous memory for DMA from Xen\n - boo#970135: new virtualization project clock test randomly fails on Xen\n - boo#971949 xl: Support (by ignoring) xl migrate --live. xl migrations\n are always live\n - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6, model=79)\n - boo#985503: vif-route broken\n - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2 alpha3 failed\n on sles11sp4 xen host\n - boo#986586: out of memory (oom) during boot on "modprobe xenblk" (non\n xen kernel)\n - boo#953339, boo#953362, boo#953518, boo#984981) boo#953339, boo#953362,\n boo#953518, boo#984981: Implement SUSE specific unplug protocol for\n emulated PCI devices in PVonHVM guests to qemu-xen-upstream\n - boo#958848: HVM guest crash at /usr/src/packages/BUILD/\n xen-4.4.2-testing/obj/default/balloon/balloon.c:407\n - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from xvda\n - boo#954872: script block-dmmd not working as expected\n - boo#961600: L3: poor performance when Xen HVM domU configured with max\n memory greater than current memory\n - boo#979035: restore xm migrate fixes for boo#955399/ boo#955399\n - boo#963161: Windows VM getting stuck during load while a VF is assigned\n to it after upgrading to latest maintenance updates boo#963161\n - boo#976058: Xen error running simple HVM guest (Post Alpha 2 xen+qemu)\n - boo#973631: AWS EC2 kdump issue\n - boo#961100: Migrate a fv guest from sles12 to sles12sp1 on xen fails for\n "Domain is not running on destination host".\n - boo#964427: Discarding device blocks: failed - Input/output error\n\n", "modified": "2016-10-11T19:20:30", "published": "2016-10-11T19:20:30", "id": "OPENSUSE-SU-2016:2497-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00022.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-13T21:27:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-3712", "CVE-2016-6834", "CVE-2016-6835", "CVE-2016-4963", "CVE-2016-3960", "CVE-2016-7092", "CVE-2016-4962", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-7093", "CVE-2016-4480", "CVE-2016-6258", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-7154", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-7094", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-6833", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2014-3615", "CVE-2016-3159", "CVE-2016-6888", "CVE-2016-6836"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local\n guest OS users to cause a denial of service (host disk consumption) by\n writing to stdout or stderr (bsc#981264).\n - CVE-2016-3158: The xrstor function did not properly handle writes to the\n hardware FSW.ES bit when running on AMD64 processors, which allowed\n local guest OS users to obtain sensitive register content information\n from another guest by leveraging pending exception and mask bits\n (bsc#973188).\n - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not\n properly handle writes to the hardware FSW.ES bit when running on AMD64\n processors, which allowed local guest OS users to obtain sensitive\n register content information from another guest by leveraging pending\n exception and mask bits (bsc#973188).\n - CVE-2016-3710: The VGA module improperly performed bounds checking on\n banked access to video memory, which allowed local guest OS\n administrators to execute arbitrary code on the host by changing access\n modes after setting the bank register, aka the "Dark Portal" issue\n (bsc#978164)\n - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed\n local guest OS users to cause a denial of service (host crash) or\n possibly gain privileges by shadowing a superpage mapping (bsc#974038).\n - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function,\n when the Stellaris ethernet controller is configured to accept large\n packets, allowed remote attackers to cause a denial of service (QEMU\n crash) via a large packet (bsc#975130).\n - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the\n guest NIC is configured to accept large packets, allowed remote\n attackers to cause a denial of service (memory corruption and QEMU\n crash) or possibly execute arbitrary code via a packet larger than 1514\n bytes (bsc#975138).\n - CVE-2016-4020: The patch_instruction function did not initialize the\n imm32 variable, which allowed local guest OS administrators to obtain\n sensitive information from host stack memory by accessing the Task\n Priority Register (TPR) (bsc#975907)\n - CVE-2016-4037: The ehci_advance_state function in hw/usb/hcd-ehci.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via a circular split isochronous\n transfer descriptor (siTD) list (bsc#976111)\n - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI\n Controller (FSC) support did not properly check command buffer length,\n which allowed local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) or potentially execute\n arbitrary code on the host via unspecified vectors (bsc#980716)\n - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller\n (FSC) support did not properly check DMA length, which allowed local\n guest OS administrators to cause a denial of service (out-of-bounds\n write and QEMU process crash) via unspecified vectors, involving an SCSI\n command (bsc#980724)\n - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS\n administrators to cause a denial of service (infinite loop and QEMU\n process crash) via a VGA command (bsc#982225)\n - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS\n administrators to obtain sensitive host memory information or cause a\n denial of service (QEMU process crash) by changing FIFO registers and\n issuing a VGA command, which triggered an out-of-bounds read (bsc#982224)\n - CVE-2016-4480: The guest_walk_tables function in\n arch/x86/mm/guest_walk.c in Xen did not properly handle the Page Size\n (PS) page table entry bit at the L4 and L3 page table levels, which\n might have allowed local guest OS users to gain privileges via a crafted\n mapping of memory (bsc#978295).\n - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data\n routines (bsc#981276)\n - CVE-2016-4962: The libxl device-handling allowed local OS guest\n administrators to cause a denial of service (resource consumption or\n management facility confusion) or gain host OS privileges by\n manipulating information in guest controlled areas of xenstore\n (bsc#979620)\n - CVE-2016-4963: The libxl device-handling allowed local guest OS users\n with access to the driver domain to cause a denial of service\n (management tool confusion) by manipulating information in the backend\n directories in xenstore (bsc#979670)\n - CVE-2016-5105: Stack information leakage while reading configuration\n (bsc#982024)\n - CVE-2016-5106: Out-of-bounds write while setting controller properties\n (bsc#982025)\n - CVE-2016-5107: Out-of-bounds read in megasas_lookup_frame() function\n (bsc#982026)\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function allowed local guest OS users to cause a denial of service (QEMU\n process crash) or possibly execute arbitrary code via a crafted iSCSI\n asynchronous I/O ioctl call (bsc#982286)\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode (bsc#982960)\n - CVE-2016-5337: The megasas_ctrl_get_info function allowed local guest OS\n administrators to obtain sensitive host memory information via vectors\n related to reading device control information (bsc#983973)\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions\n allowed local guest OS administrators to cause a denial of service (QEMU\n process crash) or execute arbitrary code on the host via vectors related\n to the information transfer buffer (bsc#983984)\n - CVE-2016-5403: virtio: unbounded memory allocation on host via guest\n leading to DoS (XSA-184) (bsc#990923)\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with\n ESP/NCR53C9x controller emulation support, allowed local guest OS\n administrators to cause a denial of service (out-of-bounds write and\n QEMU process crash) or execute arbitrary code on the host via vectors\n involving DMA read into ESP command buffer (bsc#990843).\n - CVE-2016-6833: A use-after-free issue in the VMWARE VMXNET3 NIC device\n support allowed privileged user inside guest to crash the Qemu instance\n resulting in DoS (bsc#994775).\n - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE\n VMXNET3 NIC device support allowed privileged user inside guest to crash\n the Qemu instance resulting in DoS (bsc#994421).\n - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support,\n causing an OOB read access (bsc#994625).\n - CVE-2016-6836: VMWARE VMXNET3 NIC device allowed privileged user inside\n the guest to leak information. It occured while processing transmit(tx)\n queue, when it reaches the end of packet (bsc#994761).\n - CVE-2016-6888: A integer overflow int the VMWARE VMXNET3 NIC device\n support, during the initialisation of new packets in the device, could\n have allowed a privileged user inside guest to crash the Qemu instance\n resulting in DoS (bsc#994772).\n - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen\n allowed local 32-bit PV guest OS administrators to gain host OS\n privileges via vectors related to L3 recursive pagetables (bsc#995785)\n - CVE-2016-7093: Xen allowed local HVM guest OS administrators to\n overwrite hypervisor memory and consequently gain host OS privileges by\n leveraging mishandling of instruction pointer truncation during\n emulation (bsc#995789)\n - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS\n administrators on guests running with shadow paging to cause a denial of\n service via a pagetable update (bsc#995792)\n - CVE-2016-7154: Use-after-free vulnerability in the FIFO event channel\n code in Xen allowed local guest OS administrators to cause a denial of\n service (host crash) and possibly execute arbitrary code or obtain\n sensitive information via an invalid guest frame number (bsc#997731).\n\n These non-security issues were fixed:\n - bsc#991934: Hypervisor crash in csched_acct\n - bsc#992224: During boot of Xen Hypervisor, failed to get contiguous\n memory for DMA\n - bsc#970135: New virtualization project clock test randomly fails on Xen\n - bsc#971949: xl: Support (by ignoring) xl migrate --live. xl migrations\n are always live\n - bsc#990970: Add PMU support for Intel E7-8867 v4 (fam=6, model=79)\n - bsc#985503: vif-route broken\n - bsc#978413: PV guest upgrade from sles11sp4 to sles12sp2 alpha3 failed\n on sles11sp4 xen host.\n - bsc#986586: Out of memory (oom) during boot on "modprobe xenblk" (non\n xen kernel)\n - bsc#953339, bsc#953362, bsc#953518, bsc#984981: Implement SUSE specific\n unplug protocol for emulated PCI devices in PVonHVM guests to\n qemu-xen-upstream\n - bsc#958848: HVM guest crash at /usr/src/packages/BUILD/\n xen-4.4.2-testing/obj/default/balloon/balloon.c:407\n - bsc#982695: xen-4.5.2 qemu fails to boot HVM guest from xvda\n - bsc#954872: script block-dmmd not working as expected\n - bsc#961600: : poor performance when Xen HVM domU configured with max\n memory > current memory\n - bsc#979035: Restore xm migrate fixes for bsc#955399/ bsc#955399\n - bsc#963161: Windows VM getting stuck during load while a VF is assigned\n to it\n - bsc#976058: Xen error running simple HVM guest (Post Alpha 2 xen+qemu)\n - bsc#957986: Indirect descriptors are not compatible with Amazon block\n backend\n - bsc#973631: AWS EC2 kdump issue\n - bsc#964427: Discarding device blocks failed with input/output error\n\n", "modified": "2016-10-13T21:09:33", "published": "2016-10-13T21:09:33", "id": "SUSE-SU-2016:2533-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00028.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-11T17:26:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2015-8558", "CVE-2015-8613", "CVE-2016-4441", "CVE-2016-3712", "CVE-2016-6834", "CVE-2016-6835", "CVE-2016-4963", "CVE-2016-6259", "CVE-2016-3960", "CVE-2016-7092", "CVE-2016-4962", "CVE-2015-7512", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-7093", "CVE-2016-4480", "CVE-2016-6258", "CVE-2015-8568", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-5337", "CVE-2015-8743", "CVE-2016-4001", "CVE-2016-7094", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-1714", "CVE-2016-1981", "CVE-2016-6833", "CVE-2015-8504", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2014-3615", "CVE-2016-3159", "CVE-2016-6888", "CVE-2016-6836"], "edition": 1, "description": "This update for xen fixes the following issues:\n\n These security issues were fixed:\n - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen\n allowed local 32-bit PV guest OS administrators to gain host OS\n privileges via vectors related to L3 recursive pagetables (bsc#995785)\n - CVE-2016-7093: Xen allowed local HVM guest OS administrators to\n overwrite hypervisor memory and consequently gain host OS privileges by\n leveraging mishandling of instruction pointer truncation during\n emulation (bsc#995789)\n - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS\n administrators on guests running with shadow paging to cause a denial of\n service via a pagetable update (bsc#995792)\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information\n leakage. A privileged user inside guest could have used this to leak\n host memory bytes to a guest (boo#994761)\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. A privileged user inside guest could have used this flaw\n to crash the Qemu instance resulting in DoS (bsc#994772)\n - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device\n support. A privileged user inside guest could have used this issue to\n crash the Qemu instance resulting in DoS (boo#994775)\n - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support,\n causing an OOB read access (bsc#994625)\n - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE\n VMXNET3 NIC device support allowed privileged user inside guest to crash\n the Qemu instance resulting in DoS (bsc#994421)\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n - CVE-2016-6259: Xen did not implement Supervisor Mode Access Prevention\n (SMAP) whitelisting in 32-bit exception and event delivery, which\n allowed local 32-bit PV guest OS kernels to cause a denial of service\n (hypervisor and VM crash) by triggering a safety check (bsc#988676)\n - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU\n allowed local guest OS administrators to cause a denial of service\n (memory consumption and QEMU process crash) by submitting requests\n without waiting for completion (boo#990923)\n - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with\n ESP/NCR53C9x controller emulation support, allowed local guest OS\n administrators to cause a denial of service (out-of-bounds write and\n QEMU process crash) or execute arbitrary code on the host via vectors\n involving DMA read into ESP command buffer (bsc#990843)\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n - CVE-2016-6259: Xen did not implement Supervisor Mode Access Prevention\n (SMAP) whitelisting in 32-bit exception and event delivery, which\n allowed local 32-bit PV guest OS kernels to cause a denial of service\n (hypervisor and VM crash) by triggering a safety check (bsc#988676)\n - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c\n in QEMU allowed local guest OS administrators to obtain sensitive host\n memory information via vectors related to reading device control\n information (bsc#983973)\n - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in\n hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a\n denial of service (QEMU process crash) or execute arbitrary code on the\n QEMU host via vectors related to the information transfer buffer\n (bsc#983984)\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) via vectors related to\n reading from the information transfer buffer in non-DMA mode (bsc#982960)\n - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c\n in QEMU allowed local guest OS administrators to cause a denial of\n service (infinite loop and QEMU process crash) via a VGA command\n (bsc#982225)\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to\n obtain sensitive host memory information or cause a denial of service\n (QEMU process crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read (bsc#982224)\n - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl\n function in block/iscsi.c in QEMU allowed local guest OS users to cause\n a denial of service (QEMU process crash) or possibly execute arbitrary\n code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982286)\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c\n in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support, used an uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving a MegaRAID\n Firmware Interface (MFI) command (bsc#982024)\n - CVE-2016-5106: The megasas_dcmd_set_properties function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest administrators to cause a\n denial of service (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982025)\n - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built\n with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest OS administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors (bsc#982026)\n - CVE-2016-4963: The libxl device-handling allowed local guest OS users\n with access to the driver domain to cause a denial of service\n (management tool confusion) by manipulating information in the backend\n directories in xenstore (bsc#979670)\n - CVE-2016-4962: The libxl device-handling allowed local OS guest\n administrators to cause a denial of service (resource consumption or\n management facility confusion) or gain host OS privileges by\n manipulating information in guest controlled areas of xenstore\n (bsc#979620)\n - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data\n routines (bsc#981276)\n - CVE-2016-3710: The VGA module improperly performed bounds checking on\n banked access to video memory, which allowed local guest OS\n administrators to execute arbitrary code on the host by changing access\n modes after setting the bank register, aka the "Dark Portal" issue\n (bsc#978164)\n - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local\n guest OS users to cause a denial of service (host disk consumption) by\n writing to stdout or stderr (bsc#981264)\n - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller\n (FSC) support did not properly check DMA length, which allowed local\n guest OS administrators to cause a denial of service (out-of-bounds\n write and QEMU process crash) via unspecified vectors, involving an SCSI\n command (bsc#980724)\n - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI\n Controller (FSC) support did not properly check command buffer length,\n which allowed local guest OS administrators to cause a denial of service\n (out-of-bounds write and QEMU process crash) or potentially execute\n arbitrary code on the host via unspecified vectors (bsc#980716)\n - CVE-2016-3960: Integer overflow in the x86 shadow pagetable code allowed\n local guest OS users to cause a denial of service (host crash) or\n possibly gain privileges by shadowing a superpage mapping (bsc#974038)\n - CVE-2016-3158: The xrstor function did not properly handle writes to the\n hardware FSW.ES bit when running on AMD64 processors, which allowed\n local guest OS users to obtain sensitive register content information\n from another guest by leveraging pending exception and mask bits\n (bsc#973188)\n - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not\n properly handle writes to the hardware FSW.ES bit when running on AMD64\n processors, which allowed local guest OS users to obtain sensitive\n register content information from another guest by leveraging pending\n exception and mask bits (bsc#973188)\n - CVE-2016-4037: The ehci_advance_state function in hw/usb/hcd-ehci.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via a circular split isochronous\n transfer descriptor (siTD) list (bsc#976111)\n - CVE-2016-4020: The patch_instruction function did not initialize the\n imm32 variable, which allowed local guest OS administrators to obtain\n sensitive information from host stack memory by accessing the Task\n Priority Register (TPR) (bsc#975907)\n - CVE-2016-4001: Buffer overflow in the stellaris_enet_receive function,\n when the Stellaris ethernet controller is configured to accept large\n packets, allowed remote attackers to cause a denial of service (QEMU\n crash) via a large packet (bsc#975130)\n - CVE-2016-4002: Buffer overflow in the mipsnet_receive function, when the\n guest NIC is configured to accept large packets, allowed remote\n attackers to cause a denial of service (memory corruption and QEMU\n crash) or possibly execute arbitrary code via a packet larger than 1514\n bytes (bsc#975138)\n - CVE-2016-4480: The guest_walk_tables function in\n arch/x86/mm/guest_walk.c in Xen did not properly handle the Page Size\n (PS) page table entry bit at the L4 and L3 page table levels, which\n might have allowed local guest OS users to gain privileges via a crafted\n mapping of memory (bsc#978295)\n\n These non-security issues were fixed:\n - boo#991934: xen hypervisor crash in csched_acct\n - boo#992224: During boot of Xen Hypervisor, Failed to get contiguous\n memory for DMA from Xen\n - boo#955104: Virsh reports error "one or more references were leaked\n after disconnect from hypervisor" when "virsh save" failed due to "no\n response from client after 6 keepalive messages"\n - boo#959552: Migration of HVM guest leads into libvirt segmentation fault\n - boo#993665: Migration of xen guests finishes in: One or more references\n were leaked after disconnect from the hypervisor\n - boo#959330: Guest migrations using virsh results in error "Internal\n error: received hangup / error event on socket"\n - boo#990500: VM virsh migration fails with keepalive error:\n ":virKeepAliveTimerInternal:143 : No response from client"\n - boo#953518: Unplug also SCSI disks in qemu-xen-traditional for upstream\n unplug protocol\n - boo#953518: xen_platform: unplug also SCSI disks in qemu-xen\n - boo#971949: Support (by ignoring) xl migrate --live. xl migrations are\n always live\n - boo#970135: New virtualization project clock test randomly fails on Xen\n - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6, model=79)\n - boo#985503: vif-route broken\n - boo#961100: Migrate a fv guest from sles12 to sles12sp1 fails remove\n patch because it can not fix the bug\n - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2 alpha3 failed\n on sles11sp4 xen host.\n - boo#986586: Out of memory (oom) during boot on "modprobe xenblk" (non\n xen kernel) init.50-hvm-xen_conf\n - boo#900418: Dump cannot be performed on SLES12 XEN\n - boo#953339, boo#953362, boo#953518, boo#984981: Implement SUSE specific\n unplug protocol for emulated PCI devices in PVonHVM guests to\n qemu-xen-upstream\n - boo#954872: script block-dmmd not working as expected - libxl: error:\n libxl_dm.c (Additional fixes) block-dmmd\n - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from xvda\n - boo#958848: HVM guest crash at /usr/src/packages/BUILD/\n xen-4.4.2-testing/obj/default/balloon/balloon.c:407\n - boo#949889: Fail to install 32-bit paravirt VM under SLES12SP1Beta3 XEN\n - boo#954872: script block-dmmd not working as expected - libxl: error:\n libxl_dm.c (another modification) block-dmmd\n - boo#961600: Poor performance when Xen HVM domU configured with max\n memory greater than current memory\n - boo#963161: Windows VM getting stuck during load while a VF is assigned\n to it after upgrading to latest maintenance updates\n - boo#976058: Xen error running simple HVM guest (Post Alpha 2 xen+qemu)\n - boo#961100: Migrate a fv guest from sles12 to sles12sp1 on xen fails for\n "Domain is not running on destination host".\n qemu-ignore-kvm-tpr-opt-on-migration.patch\n - boo#973631: AWS EC2 kdump issue\n - boo#964427: Discarding device blocks: failed - Input/output error\n\n", "modified": "2016-10-11T19:08:23", "published": "2016-10-11T19:08:23", "id": "OPENSUSE-SU-2016:2494-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00020.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-07T13:27:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6834", "CVE-2016-6835", "CVE-2016-6259", "CVE-2016-7092", "CVE-2016-7093", "CVE-2016-6258", "CVE-2016-7094", "CVE-2016-6833", "CVE-2016-6888", "CVE-2016-6836"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen\n allowed local 32-bit PV guest OS administrators to gain host OS\n privileges via vectors related to L3 recursive pagetables (bsc#995785).\n - CVE-2016-7093: Xen allowed local HVM guest OS administrators to\n overwrite hypervisor memory and consequently gain host OS privileges by\n leveraging mishandling of instruction pointer truncation during\n emulation (bsc#995789).\n - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS\n administrators on guests running with shadow paging to cause a denial of\n service via a pagetable update (bsc#995792).\n - CVE-2016-6836: Information leakage in vmxnet3_complete_packet\n (bsc#994761).\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. Aprivileged user inside guest c... (bsc#994772).\n - CVE-2016-6833: Use after free while writing (bsc#994775).\n - CVE-2016-6835: Buffer overflow in vmxnet_tx_pkt_parse_headers() in\n vmxnet3 deviceemulation. (bsc#994625).\n - CVE-2016-6834: An infinite loop during packet fragmentation (bsc#994421).\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675).\n - CVE-2016-6259: Xen did not implement Supervisor Mode Access Prevention\n (SMAP) whitelisting in 32-bit exception and event delivery, which\n allowed local 32-bit PV guest OS kernels to cause a denial of service\n (hypervisor and VM crash) by triggering a safety check (bsc#988676).\n\n These non-security issues were fixed:\n - bsc#991934: Hypervisor crash in csched_acct\n - bsc#992224: During boot of Xen Hypervisor, failed to get contiguous\n memory for DMA\n - bsc#955104: Virsh reports error "one or more references were leaked\n after disconnect from hypervisor" when "virsh save" failed due to "no\n response from client after 6 keepalive messages"\n - bsc#959552: Migration of HVM guest leads into libvirt segmentation fault\n - bsc#993665: Migration of xen guests finishes in: One or more references\n were leaked after disconnect from the hypervisor\n - bsc#959330: Guest migrations using virsh results in error "Internal\n error: received hangup / error event on socket"\n - bsc#990500: VM virsh migration fails with keepalive error:\n ":virKeepAliveTimerInternal:143 : No response from client"\n - bsc#953518: Unplug also SCSI disks in qemu-xen-traditional for upstream\n unplug protocol\n - bsc#953518: xen_platform: unplug also SCSI disks in qemu-xen\n - bsc#971949: xl: Support (by ignoring) xl migrate --live. xl migrations\n are always live\n - bsc#970135: New virtualization project clock test randomly fails on Xen\n - bsc#990970: Add PMU support for Intel E7-8867 v4 (fam=6, model=79)\n\n", "modified": "2016-10-07T14:09:00", "published": "2016-10-07T14:09:00", "id": "SUSE-SU-2016:2473-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00014.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-20T12:29:23", "description": "qemu was updated to fix 19 security issues.\n\nThese security issues were fixed :\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012)\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013)\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command (bsc#982017)\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019)\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285)\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222)\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223)\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982)\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961)\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode (bsc#982959)\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080)\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466)\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771)\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774)\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441)\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760)\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858)\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859)\n\nThis non-security issue was fixed :\n\n - bsc#1000048: Fix migration failure where target host is\n a soon to be released SLES 12 SP2. Qemu's spice code\n gets an assertion.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.", "edition": 18, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-27T00:00:00", "title": "openSUSE Security Update : qemu (openSUSE-2016-1234)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "modified": "2016-10-27T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo", "p-cpe:/a:novell:opensuse:qemu-s390-debuginfo", "p-cpe:/a:novell:opensuse:qemu-vgabios", "p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo", "p-cpe:/a:novell:opensuse:qemu", "p-cpe:/a:novell:opensuse:qemu-sgabios", "p-cpe:/a:novell:opensuse:qemu-tools-debuginfo", "p-cpe:/a:novell:opensuse:qemu-seabios", "p-cpe:/a:novell:opensuse:qemu-s390", "p-cpe:/a:novell:opensuse:qemu-ppc", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource", "p-cpe:/a:novell:opensuse:qemu-arm", "p-cpe:/a:novell:opensuse:qemu-testsuite", "p-cpe:/a:novell:opensuse:qemu-kvm", "p-cpe:/a:novell:opensuse:qemu-linux-user", "p-cpe:/a:novell:opensuse:qemu-ipxe", "p-cpe:/a:novell:opensuse:qemu-block-curl", "p-cpe:/a:novell:opensuse:qemu-extra-debuginfo", "p-cpe:/a:novell:opensuse:qemu-x86-debuginfo", "p-cpe:/a:novell:opensuse:qemu-tools", "p-cpe:/a:novell:opensuse:qemu-guest-agent", "p-cpe:/a:novell:opensuse:qemu-x86", "p-cpe:/a:novell:opensuse:qemu-extra", "p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo", "p-cpe:/a:novell:opensuse:qemu-debugsource", "p-cpe:/a:novell:opensuse:qemu-arm-debuginfo", "p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-rbd", "p-cpe:/a:novell:opensuse:qemu-lang", "p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo"], "id": "OPENSUSE-2016-1234.NASL", "href": "https://www.tenable.com/plugins/nessus/94309", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1234.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94309);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2391\", \"CVE-2016-2392\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6490\", \"CVE-2016-6833\", \"CVE-2016-6836\", \"CVE-2016-6888\", \"CVE-2016-7116\", \"CVE-2016-7155\", \"CVE-2016-7156\");\n\n script_name(english:\"openSUSE Security Update : qemu (openSUSE-2016-1234)\");\n script_summary(english:\"Check for the openSUSE-2016-1234 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"qemu was updated to fix 19 security issues.\n\nThese security issues were fixed :\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012)\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013)\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command (bsc#982017)\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019)\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285)\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222)\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223)\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982)\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961)\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode (bsc#982959)\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080)\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466)\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771)\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774)\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441)\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760)\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858)\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859)\n\nThis non-security issue was fixed :\n\n - bsc#1000048: Fix migration failure where target host is\n a soon to be released SLES 12 SP2. Qemu's spice code\n gets an assertion.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1000048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=967012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=967013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982017\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=982959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=983961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=983982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=991080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=991466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=994760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=994771\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=994774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=996441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=997858\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=997859\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-arm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ipxe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-vgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-arm-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-arm-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-block-curl-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-block-curl-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-debugsource-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-extra-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-extra-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-guest-agent-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-guest-agent-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-ipxe-1.0.0-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-kvm-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-lang-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-linux-user-2.3.1-19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-linux-user-debuginfo-2.3.1-19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-linux-user-debugsource-2.3.1-19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-ppc-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-ppc-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-s390-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-s390-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-seabios-1.8.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-sgabios-8-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-tools-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-tools-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-vgabios-1.8.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-x86-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"qemu-x86-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.3.1-19.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"qemu-testsuite-2.3.1-19.6\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-linux-user / qemu-linux-user-debuginfo / etc\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:24:50", "description": "qemu was updated to fix 19 security issues. These security issues were\nfixed :\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012)\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013)\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command (bsc#982017)\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019)\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285)\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222)\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223)\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982)\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961)\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode (bsc#982959)\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080)\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466)\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771)\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774)\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441)\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760)\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858)\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859)\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-26T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2589-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "modified": "2016-10-26T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-x86"], "id": "SUSE_SU-2016-2589-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2589-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94277);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-2391\", \"CVE-2016-2392\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6490\", \"CVE-2016-6833\", \"CVE-2016-6836\", \"CVE-2016-6888\", \"CVE-2016-7116\", \"CVE-2016-7155\", \"CVE-2016-7156\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2589-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"qemu was updated to fix 19 security issues. These security issues were\nfixed :\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012)\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013)\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018)\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command (bsc#982017)\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019)\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285)\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222)\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223)\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982)\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961)\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode (bsc#982959)\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080)\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466)\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771)\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774)\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441)\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760)\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858)\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859)\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1000048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982017\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994771\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=996441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=997858\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=997859\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2391/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2392/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4453/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4454/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5105/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5106/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5107/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5126/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5337/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5338/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5403/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6833/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6836/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6888/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7156/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162589-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b25c1b45\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2016-1523=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2016-1523=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-x86-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"qemu-s390-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-block-curl-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-block-curl-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-debugsource-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-guest-agent-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-guest-agent-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-lang-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-tools-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-tools-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"qemu-kvm-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-block-curl-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-block-curl-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-debugsource-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-kvm-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-tools-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-tools-debuginfo-2.3.1-21.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-x86-2.3.1-21.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:24:59", "description": "qemu was updated to fix 21 security issues. These security issues were\nfixed :\n\n - CVE-2014-5388: Off-by-one error in the pci_read function\n in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in\n QEMU allowed local guest users to obtain sensitive\n information and have other unspecified impact related to\n a crafted PCI device that triggers memory corruption\n (bsc#893323).\n\n - CVE-2015-6815: e1000 NIC emulation support was\n vulnerable to an infinite loop issue. A privileged user\n inside guest could have used this flaw to crash the Qemu\n instance resulting in DoS. (bsc#944697).\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013).\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012).\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223).\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222).\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command\n (bsc#982017).\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018).\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019).\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285).\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode\n (bsc#982959).\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961).\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982).\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080).\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466).\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774).\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760).\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771).\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441).\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858).\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-14T00:00:00", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2016:2781-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2014-5388", "CVE-2016-2391", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-5107", "CVE-2015-6815", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "modified": "2016-11-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-x86"], "id": "SUSE_SU-2016-2781-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94758", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2781-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94758);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-5388\", \"CVE-2015-6815\", \"CVE-2016-2391\", \"CVE-2016-2392\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6490\", \"CVE-2016-6833\", \"CVE-2016-6836\", \"CVE-2016-6888\", \"CVE-2016-7116\", \"CVE-2016-7155\", \"CVE-2016-7156\");\n script_bugtraq_id(69356);\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2016:2781-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"qemu was updated to fix 21 security issues. These security issues were\nfixed :\n\n - CVE-2014-5388: Off-by-one error in the pci_read function\n in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in\n QEMU allowed local guest users to obtain sensitive\n information and have other unspecified impact related to\n a crafted PCI device that triggers memory corruption\n (bsc#893323).\n\n - CVE-2015-6815: e1000 NIC emulation support was\n vulnerable to an infinite loop issue. A privileged user\n inside guest could have used this flaw to crash the Qemu\n instance resulting in DoS. (bsc#944697).\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013).\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012).\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223).\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222).\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command\n (bsc#982017).\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018).\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019).\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285).\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode\n (bsc#982959).\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961).\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982).\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080).\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466).\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE\n VMXNET3 NIC device support. A privileged user inside\n guest could have used this issue to crash the Qemu\n instance resulting in DoS (bsc#994774).\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was\n leaging information leakage. A privileged user inside\n guest could have used this to leak host memory bytes to\n a guest (bsc#994760).\n\n - CVE-2016-6888: Integer overflow in packet initialisation\n in VMXNET3 device driver. A privileged user inside guest\n could have used this flaw to crash the Qemu instance\n resulting in DoS (bsc#994771).\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441).\n\n - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus\n a OOB access and/or infinite loop issue could have\n allowed a privileged user inside guest to crash the Qemu\n process resulting in DoS (bsc#997858).\n\n - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus\n a infinite loop issue could have allowed a privileged\n user inside guest to crash the Qemu process resulting in\n DoS (bsc#997859).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=893323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=944697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982017\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994771\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=994774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=996441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=997858\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=997859\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-5388/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-6815/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2391/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2392/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4453/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4454/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5105/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5106/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5107/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5126/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5337/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5338/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5403/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6833/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6836/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6888/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7155/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7156/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162781-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?705c9ef2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2016-1646=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2016-1646=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-x86-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-block-curl-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-block-curl-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-debugsource-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-guest-agent-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-guest-agent-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-lang-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-tools-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-tools-debuginfo-2.0.2-48.22.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-kvm-2.0.2-48.22.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-20T14:46:36", "description": "kvm was updated to fix 16 security issues. These security issues were\nfixed :\n\n - CVE-2015-6815: e1000 NIC emulation support was\n vulnerable to an infinite loop issue. A privileged user\n inside guest could have used this flaw to crash the Qemu\n instance resulting in DoS. (bsc#944697).\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013).\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012).\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223).\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222).\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command\n (bsc#982017).\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018).\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019).\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285).\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode\n (bsc#982959).\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961).\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982).\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080).\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466).\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441).\n\n - CVE-2014-7815: The set_pixel_format function in ui/vnc.c\n in QEMU allowed remote attackers to cause a denial of\n service (crash) via a small bytes_per_pixel value\n (bsc#902737).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-26T00:00:00", "title": "SUSE SLES11 Security Update : kvm (SUSE-SU-2016:2628-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-5126", "CVE-2016-2391", "CVE-2016-5238", "CVE-2014-7815", "CVE-2016-5337", "CVE-2016-7116", "CVE-2016-5107", "CVE-2015-6815", "CVE-2016-4454", "CVE-2016-6490"], "modified": "2016-10-26T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kvm", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2016-2628-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94283", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2628-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94283);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-7815\", \"CVE-2015-6815\", \"CVE-2016-2391\", \"CVE-2016-2392\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6490\", \"CVE-2016-7116\");\n script_bugtraq_id(70998);\n\n script_name(english:\"SUSE SLES11 Security Update : kvm (SUSE-SU-2016:2628-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"kvm was updated to fix 16 security issues. These security issues were\nfixed :\n\n - CVE-2015-6815: e1000 NIC emulation support was\n vulnerable to an infinite loop issue. A privileged user\n inside guest could have used this flaw to crash the Qemu\n instance resulting in DoS. (bsc#944697).\n\n - CVE-2016-2391: The ohci_bus_start function in the USB\n OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU\n allowed local guest OS administrators to cause a denial\n of service (NULL pointer dereference and QEMU process\n crash) via vectors related to multiple eof_timers\n (bsc#967013).\n\n - CVE-2016-2392: The is_rndis function in the USB Net\n device emulator (hw/usb/dev-network.c) in QEMU did not\n properly validate USB configuration descriptor objects,\n which allowed local guest OS administrators to cause a\n denial of service (NULL pointer dereference and QEMU\n process crash) via vectors involving a remote NDIS\n control message packet (bsc#967012).\n\n - CVE-2016-4453: The vmsvga_fifo_run function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to cause a denial of service (infinite\n loop and QEMU process crash) via a VGA command\n (bsc#982223).\n\n - CVE-2016-4454: The vmsvga_fifo_read_raw function in\n hw/display/vmware_vga.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information or cause a denial of service (QEMU process\n crash) by changing FIFO registers and issuing a VGA\n command, which triggers an out-of-bounds read\n (bsc#982222).\n\n - CVE-2016-5105: The megasas_dcmd_cfg_read function in\n hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS\n 8708EM2 Host Bus Adapter emulation support, used an\n uninitialized variable, which allowed local guest\n administrators to read host memory via vectors involving\n a MegaRAID Firmware Interface (MFI) command\n (bsc#982017).\n\n - CVE-2016-5106: The megasas_dcmd_set_properties function\n in hw/scsi/megasas.c in QEMU, when built with MegaRAID\n SAS 8708EM2 Host Bus Adapter emulation support, allowed\n local guest administrators to cause a denial of service\n (out-of-bounds write access) via vectors involving a\n MegaRAID Firmware Interface (MFI) command (bsc#982018).\n\n - CVE-2016-5107: The megasas_lookup_frame function in\n QEMU, when built with MegaRAID SAS 8708EM2 Host Bus\n Adapter emulation support, allowed local guest OS\n administrators to cause a denial of service\n (out-of-bounds read and crash) via unspecified vectors\n (bsc#982019).\n\n - CVE-2016-5126: Heap-based buffer overflow in the\n iscsi_aio_ioctl function in block/iscsi.c in QEMU\n allowed local guest OS users to cause a denial of\n service (QEMU process crash) or possibly execute\n arbitrary code via a crafted iSCSI asynchronous I/O\n ioctl call (bsc#982285).\n\n - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in\n QEMU allowed local guest OS administrators to cause a\n denial of service (out-of-bounds write and QEMU process\n crash) via vectors related to reading from the\n information transfer buffer in non-DMA mode\n (bsc#982959).\n\n - CVE-2016-5337: The megasas_ctrl_get_info function in\n hw/scsi/megasas.c in QEMU allowed local guest OS\n administrators to obtain sensitive host memory\n information via vectors related to reading device\n control information (bsc#983961).\n\n - CVE-2016-5338: The (1) esp_reg_read and (2)\n esp_reg_write functions in hw/scsi/esp.c in QEMU allowed\n local guest OS administrators to cause a denial of\n service (QEMU process crash) or execute arbitrary code\n on the QEMU host via vectors related to the information\n transfer buffer (bsc#983982).\n\n - CVE-2016-5403: The virtqueue_pop function in\n hw/virtio/virtio.c in QEMU allowed local guest OS\n administrators to cause a denial of service (memory\n consumption and QEMU process crash) by submitting\n requests without waiting for completion (bsc#991080).\n\n - CVE-2016-6490: Infinite loop in the virtio framework. A\n privileged user inside the guest could have used this\n flaw to crash the Qemu instance on the host resulting in\n DoS (bsc#991466).\n\n - CVE-2016-7116: Host directory sharing via Plan 9 File\n System(9pfs) was vulnerable to a directory/path\n traversal issue. A privileged user inside guest could\n have used this flaw to access undue files on the host\n (bsc#996441).\n\n - CVE-2014-7815: The set_pixel_format function in ui/vnc.c\n in QEMU allowed remote attackers to cause a denial of\n service (crash) via a small bytes_per_pixel value\n (bsc#902737).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=902737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=944697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=967013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982017\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=991466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=996441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-7815/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-6815/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2391/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2392/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4453/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4454/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5105/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5106/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5107/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5126/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5337/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5338/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5403/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6490/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7116/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162628-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?93347cd2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-kvm-12816=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"kvm-1.4.2-47.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kvm\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:14:59", "description": " - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-07-15T00:00:00", "title": "Fedora 22 : 2:qemu (2016-ea3002b577)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454"], "modified": "2016-07-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:qemu", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-EA3002B577.NASL", "href": "https://www.tenable.com/plugins/nessus/92299", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-ea3002b577.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92299);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\");\n script_xref(name:\"FEDORA\", value:\"2016-ea3002b577\");\n\n script_name(english:\"Fedora 22 : 2:qemu (2016-ea3002b577)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea3002b577\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:qemu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"qemu-2.3.1-16.fc22\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:qemu\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:23", "description": " - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\n - Add deps on edk2-ovmf and edk2-aarch64\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-07-15T00:00:00", "title": "Fedora 23 : 2:qemu (2016-73853a7a16)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454"], "modified": "2016-07-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:qemu", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-73853A7A16.NASL", "href": "https://www.tenable.com/plugins/nessus/92255", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-73853a7a16.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92255);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\");\n script_xref(name:\"FEDORA\", value:\"2016-73853a7a16\");\n\n script_name(english:\"Fedora 23 : 2:qemu (2016-73853a7a16)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\n - Add deps on edk2-ovmf and edk2-aarch64\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-73853a7a16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:qemu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"qemu-2.4.1-11.fc23\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:qemu\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:38", "description": " - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157)\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5126: block: iscsi: buffer overflow (bz\n #1340925)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\n - Fix crash with -nodefaults -sdl (bz #1340931)\n\n - Add deps on edk2-ovmf and edk2-aarch64\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-07-15T00:00:00", "title": "Fedora 24 : 2:qemu (2016-a80eab65ba)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5126", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-4964"], "modified": "2016-07-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:2:qemu", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-A80EAB65BA.NASL", "href": "https://www.tenable.com/plugins/nessus/92277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-a80eab65ba.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92277);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-4964\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\");\n script_xref(name:\"FEDORA\", value:\"2016-a80eab65ba\");\n\n script_name(english:\"Fedora 24 : 2:qemu (2016-a80eab65ba)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2016-4002: net: buffer overflow in MIPSnet (bz\n #1326083)\n\n - CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue\n\n - CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157)\n\n - CVE-2016-5106: scsi: megasas: out-of-bounds write (bz\n #1339581)\n\n - CVE-2016-5105: scsi: megasas: stack information leakage\n (bz #1339585)\n\n - CVE-2016-5107: scsi: megasas: out-of-bounds read (bz\n #1339573)\n\n - CVE-2016-4454: display: vmsvga: out-of-bounds read (bz\n #1340740)\n\n - CVE-2016-4453: display: vmsvga: infinite loop (bz\n #1340744)\n\n - CVE-2016-5126: block: iscsi: buffer overflow (bz\n #1340925)\n\n - CVE-2016-5238: scsi: esp: OOB write (bz #1341932)\n\n - CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)\n\n - CVE-2016-5337: scsi: megasas: information leakage (bz\n #1343910)\n\n - Fix crash with -nodefaults -sdl (bz #1340931)\n\n - Add deps on edk2-ovmf and edk2-aarch64\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-a80eab65ba\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:qemu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"qemu-2.6.0-4.fc24\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:qemu\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-16T04:54:15", "description": "Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-4439, CVE-2016-4441,\nCVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the\nVMware VGA module. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly to obtain sensitive host memory. (CVE-2016-4453,\nCVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI\nparavirtual SCSI bus emulation support. A privileged attacker inside\nthe guest could use this issue to cause QEMU to crash, resulting in a\ndenial of service. This issue only applied to Ubuntu 14.04 LTS and\nUbuntu 16.04 LTS. (CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2\nHost Bus Adapter emulation support. A privileged attacker inside the\nguest could use this issue to cause QEMU to crash, resulting in a\ndenial of service, or possibly to obtain sensitive host memory. This\nissue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-5105, CVE-2016-5106, CVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain iSCSI\nasynchronous I/O ioctl calls. An attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio\nmodule. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service. (CVE-2016-5403).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-05T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : qemu, qemu-kvm vulnerabilities (USN-3047-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "modified": "2016-08-05T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3047-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3047-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92751);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/15\");\n\n script_cve_id(\"CVE-2016-4439\", \"CVE-2016-4441\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6351\");\n script_xref(name:\"USN\", value:\"3047-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : qemu, qemu-kvm vulnerabilities (USN-3047-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-4439, CVE-2016-4441,\nCVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the\nVMware VGA module. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly to obtain sensitive host memory. (CVE-2016-4453,\nCVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI\nparavirtual SCSI bus emulation support. A privileged attacker inside\nthe guest could use this issue to cause QEMU to crash, resulting in a\ndenial of service. This issue only applied to Ubuntu 14.04 LTS and\nUbuntu 16.04 LTS. (CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2\nHost Bus Adapter emulation support. A privileged attacker inside the\nguest could use this issue to cause QEMU to crash, resulting in a\ndenial of service, or possibly to obtain sensitive host memory. This\nissue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-5105, CVE-2016-5106, CVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain iSCSI\nasynchronous I/O ioctl calls. An attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio\nmodule. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service. (CVE-2016-5403).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3047-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"qemu-kvm\", pkgver:\"1.0+noroms-0ubuntu14.29\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-arm\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-mips\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-misc\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-ppc\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-sparc\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-x86\", pkgver:\"2.0.0+dfsg-2ubuntu1.26\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-arm\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-mips\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-misc\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-ppc\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-s390x\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-sparc\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-x86\", pkgver:\"1:2.5+dfsg-5ubuntu10.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm / qemu-system / qemu-system-aarch64 / qemu-system-arm / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-16T04:54:15", "description": "USN-3047-1 fixed vulnerabilities in QEMU. The patch to fix\nCVE-2016-5403 caused a regression which resulted in save/restore\nfailures when virtio memory balloon statistics are enabled. This\nupdate temporarily reverts the security fix for CVE-2016-5403 pending\nfurther investigation. We apologize for the inconvenience.\n\nLi Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-4439, CVE-2016-4441,\nCVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly\nhandled the VMware VGA module. A privileged attacker inside\nthe guest could use this issue to cause QEMU to crash,\nresulting in a denial of service, or possibly to obtain\nsensitive host memory. (CVE-2016-4453, CVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE\nPVSCSI paravirtual SCSI bus emulation support. A privileged\nattacker inside the guest could use this issue to cause QEMU\nto crash, resulting in a denial of service. This issue only\napplied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID\nSAS 8708EM2 Host Bus Adapter emulation support. A privileged\nattacker inside the guest could use this issue to cause QEMU\nto crash, resulting in a denial of service, or possibly to\nobtain sensitive host memory. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105,\nCVE-2016-5106, CVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain\niSCSI asynchronous I/O ioctl calls. An attacker inside the\nguest could use this issue to cause QEMU to crash, resulting\nin a denial of service, or possibly execute arbitrary code\non the host. In the default installation, when QEMU is used\nwith libvirt, attackers would be isolated by the libvirt\nAppArmor profile. This issue only applied to Ubuntu 14.04\nLTS and Ubuntu 16.04 LTS. (CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the\nVirtio module. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial\nof service. (CVE-2016-5403).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-15T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : qemu, qemu-kvm regression (USN-3047-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "modified": "2016-08-15T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3047-2.NASL", "href": "https://www.tenable.com/plugins/nessus/92966", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3047-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92966);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/15\");\n\n script_cve_id(\"CVE-2016-4439\", \"CVE-2016-4441\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6351\");\n script_xref(name:\"USN\", value:\"3047-2\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : qemu, qemu-kvm regression (USN-3047-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3047-1 fixed vulnerabilities in QEMU. The patch to fix\nCVE-2016-5403 caused a regression which resulted in save/restore\nfailures when virtio memory balloon statistics are enabled. This\nupdate temporarily reverts the security fix for CVE-2016-5403 pending\nfurther investigation. We apologize for the inconvenience.\n\nLi Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use\nthis issue to cause QEMU to crash, resulting in a denial of service,\nor possibly execute arbitrary code on the host. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-4439, CVE-2016-4441,\nCVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly\nhandled the VMware VGA module. A privileged attacker inside\nthe guest could use this issue to cause QEMU to crash,\nresulting in a denial of service, or possibly to obtain\nsensitive host memory. (CVE-2016-4453, CVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE\nPVSCSI paravirtual SCSI bus emulation support. A privileged\nattacker inside the guest could use this issue to cause QEMU\nto crash, resulting in a denial of service. This issue only\napplied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID\nSAS 8708EM2 Host Bus Adapter emulation support. A privileged\nattacker inside the guest could use this issue to cause QEMU\nto crash, resulting in a denial of service, or possibly to\nobtain sensitive host memory. This issue only applied to\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105,\nCVE-2016-5106, CVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain\niSCSI asynchronous I/O ioctl calls. An attacker inside the\nguest could use this issue to cause QEMU to crash, resulting\nin a denial of service, or possibly execute arbitrary code\non the host. In the default installation, when QEMU is used\nwith libvirt, attackers would be isolated by the libvirt\nAppArmor profile. This issue only applied to Ubuntu 14.04\nLTS and Ubuntu 16.04 LTS. (CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the\nVirtio module. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial\nof service. (CVE-2016-5403).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3047-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"qemu-kvm\", pkgver:\"1.0+noroms-0ubuntu14.30\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-arm\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-mips\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-misc\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-ppc\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-sparc\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-x86\", pkgver:\"2.0.0+dfsg-2ubuntu1.27\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-arm\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-mips\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-misc\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-ppc\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-s390x\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-sparc\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"qemu-system-x86\", pkgver:\"1:2.5+dfsg-5ubuntu10.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm / qemu-system / qemu-system-aarch64 / qemu-system-arm / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:05:16", "description": "The remote host is affected by the vulnerability described in GLSA-201609-01\n(QEMU: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in QEMU. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Local users within a guest QEMU environment can execute arbitrary code\n within the host or a cause a Denial of Service condition of the QEMU\n guest process.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-09-26T00:00:00", "title": "GLSA-201609-01 : QEMU: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5338", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-6834", "CVE-2016-7157", "CVE-2016-7422", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-7421", "CVE-2016-2841", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-4964", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "modified": "2016-09-26T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:qemu"], "id": "GENTOO_GLSA-201609-01.NASL", "href": "https://www.tenable.com/plugins/nessus/93697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201609-01.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93697);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2841\", \"CVE-2016-4001\", \"CVE-2016-4002\", \"CVE-2016-4020\", \"CVE-2016-4439\", \"CVE-2016-4441\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4964\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-6490\", \"CVE-2016-6833\", \"CVE-2016-6834\", \"CVE-2016-6836\", \"CVE-2016-6888\", \"CVE-2016-7116\", \"CVE-2016-7156\", \"CVE-2016-7157\", \"CVE-2016-7421\", \"CVE-2016-7422\");\n script_xref(name:\"GLSA\", value:\"201609-01\");\n\n script_name(english:\"GLSA-201609-01 : QEMU: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201609-01\n(QEMU: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in QEMU. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n Local users within a guest QEMU environment can execute arbitrary code\n within the host or a cause a Denial of Service condition of the QEMU\n guest process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201609-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All QEMU users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emulation/qemu-2.7.0-r3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/qemu\", unaffected:make_list(\"ge 2.7.0-r3\"), vulnerable:make_list(\"lt 2.7.0-r3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"QEMU\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4002", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4952", "CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338"], "description": "QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including a processor and various peripherials. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. * User mode emulation. In this mode, QEMU can launch Linux processes compi led for one CPU on another CPU. As QEMU requires no host kernel patches to run, it is safe and easy to use. ", "modified": "2016-07-02T19:29:05", "published": "2016-07-02T19:29:05", "id": "FEDORA:B465E606E495", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: qemu-2.3.1-16.fc22", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4002", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4952", "CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338"], "description": "QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including a processor and various peripherials. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. * User mode emulation. In this mode, QEMU can launch Linux processes compi led for one CPU on another CPU. As QEMU requires no host kernel patches to run, it is safe and easy to use. ", "modified": "2016-07-02T19:35:10", "published": "2016-07-02T19:35:10", "id": "FEDORA:024136074A54", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: qemu-2.4.1-11.fc23", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4002", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4952", "CVE-2016-4964", "CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5126", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338"], "description": "QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including a processor and various peripherials. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. * User mode emulation. In this mode, QEMU can launch Linux processes compi led for one CPU on another CPU. As QEMU requires no host kernel patches to run, it is safe and easy to use. ", "modified": "2016-06-25T19:31:45", "published": "2016-06-25T19:31:45", "id": "FEDORA:5E2526074A66", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: qemu-2.6.0-4.fc24", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2858", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4962", "CVE-2016-4963", "CVE-2016-5238", "CVE-2016-5242", "CVE-2016-5337", "CVE-2016-5338"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-17T16:02:42", "published": "2016-06-17T16:02:42", "id": "FEDORA:AD4AA60ABD9A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: xen-4.5.3-8.fc23", "cvss": {"score": 6.8, "vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5337", "CVE-2016-5338"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-22T01:23:54", "published": "2016-06-22T01:23:54", "id": "FEDORA:5659A6058507", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: xen-4.5.3-8.fc22", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5337", "CVE-2016-5338"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-18T19:06:55", "published": "2016-06-18T19:06:55", "id": "FEDORA:61A4360802D0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xen-4.6.1-12.fc24", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2858", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4962", "CVE-2016-4963", "CVE-2016-5238", "CVE-2016-5242"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-18T19:34:42", "published": "2016-06-18T19:34:42", "id": "FEDORA:202BC60D2E7A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xen-4.6.1-11.fc24", "cvss": {"score": 6.8, "vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3672", "CVE-2016-4439", "CVE-2016-4441", "CVE-2016-5105", "CVE-2016-5106"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-12T22:54:11", "published": "2016-06-12T22:54:11", "id": "FEDORA:937A36079255", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: xen-4.5.3-6.fc22", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3672", "CVE-2016-4439", "CVE-2016-4441", "CVE-2016-5105", "CVE-2016-5106"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-05-30T21:24:04", "published": "2016-05-30T21:24:04", "id": "FEDORA:49D0F60CE3C2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xen-4.6.1-10.fc24", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3672", "CVE-2016-4439", "CVE-2016-4441", "CVE-2016-5105", "CVE-2016-5106"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-06-05T02:58:46", "published": "2016-06-05T02:58:46", "id": "FEDORA:92233616B82A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: xen-4.5.3-6.fc23", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-10T00:00:00", "id": "OPENVAS:1361412562310808569", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808569", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2016-ea3002b577", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qemu FEDORA-2016-ea3002b577\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808569\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-10 07:18:47 +0200 (Sun, 10 Jul 2016)\");\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4952\", \"CVE-2016-5106\", \"CVE-2016-5105\",\n \"CVE-2016-5107\", \"CVE-2016-4454\", \"CVE-2016-4453\", \"CVE-2016-5238\",\n \"CVE-2016-5338\", \"CVE-2016-5337\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qemu FEDORA-2016-ea3002b577\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qemu on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-ea3002b577\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6C3NNYU4DFFXANEGCTDELEUJYXSDPML\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.3.1~16.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-10T00:00:00", "id": "OPENVAS:1361412562310808561", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808561", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2016-73853a7a16", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qemu FEDORA-2016-73853a7a16\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808561\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-10 07:20:20 +0200 (Sun, 10 Jul 2016)\");\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4952\", \"CVE-2016-5106\", \"CVE-2016-5105\",\n \"CVE-2016-5107\", \"CVE-2016-4454\", \"CVE-2016-4453\", \"CVE-2016-5238\",\n \"CVE-2016-5338\", \"CVE-2016-5337\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qemu FEDORA-2016-73853a7a16\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qemu on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-73853a7a16\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXGARZJ7L3P6BMXHVWTZBIMFPV5ONPDB\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.4.1~11.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5126", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-5337", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-4964"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-06-27T00:00:00", "id": "OPENVAS:1361412562310808485", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808485", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2016-a80eab65ba", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qemu FEDORA-2016-a80eab65ba\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808485\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-27 05:45:17 +0200 (Mon, 27 Jun 2016)\");\n script_cve_id(\"CVE-2016-4002\", \"CVE-2016-4952\", \"CVE-2016-4964\", \"CVE-2016-5106\",\n \"CVE-2016-5105\", \"CVE-2016-5107\", \"CVE-2016-4454\", \"CVE-2016-4453\",\n \"CVE-2016-5126\", \"CVE-2016-5238\", \"CVE-2016-5338\", \"CVE-2016-5337\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qemu FEDORA-2016-a80eab65ba\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qemu on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-a80eab65ba\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3BTAPSNRRE3KNPXA23MAHEY7NOE424J\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.6.0~4.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-08-08T00:00:00", "id": "OPENVAS:1361412562310842845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842845", "type": "openvas", "title": "Ubuntu Update for qemu USN-3047-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for qemu USN-3047-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842845\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-08 15:11:56 +0530 (Mon, 08 Aug 2016)\");\n script_cve_id(\"CVE-2016-4439\", \"CVE-2016-4441\", \"CVE-2016-5238\", \"CVE-2016-5338\", \"CVE-2016-6351\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5337\", \"CVE-2016-5126\", \"CVE-2016-5403\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for qemu USN-3047-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4439, CVE-2016-4441, CVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the\nVMWare VGA module. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nto obtain sensitive host memory. (CVE-2016-4453, CVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual\nSCSI bus emulation support. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial of service.\nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host\nBus Adapter emulation support. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial of service, or\npossibly to obtain sensitive host memory. This issue only applied to Ubuntu\n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105, CVE-2016-5106,\nCVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain iSCSI asynchronous\nI/O ioctl calls. An attacker inside the guest could use this issue to cause\nQEMU to crash, resulting in a denial of service, or possibly execute\narbitrary code on the host. In the default installation, when QEMU is used\nwith libvirt, attackers would be isolated by the libvirt AppArmor profile.\nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A\nprivileged attacker inside the guest could use this issue to cause QEMU to\ncrash, resulting in a denial of service. (CVE-2016-5403)\");\n script_tag(name:\"affected\", value:\"qemu on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3047-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3047-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"2.0.0+dfsg-2ubuntu1.26\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.0+noroms-0ubuntu14.29\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-s390x\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"1:2.5+dfsg-5ubuntu10.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-08-13T00:00:00", "id": "OPENVAS:1361412562310842861", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842861", "type": "openvas", "title": "Ubuntu Update for qemu USN-3047-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for qemu USN-3047-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842861\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-13 05:52:38 +0200 (Sat, 13 Aug 2016)\");\n script_cve_id(\"CVE-2016-5403\", \"CVE-2016-4439\", \"CVE-2016-4441\", \"CVE-2016-5238\",\n\t\t\"CVE-2016-5338\", \"CVE-2016-6351\", \"CVE-2016-4453\", \"CVE-2016-4454\",\n\t\t\"CVE-2016-4952\", \"CVE-2016-5105\", \"CVE-2016-5106\", \"CVE-2016-5107\",\n\t\t\"CVE-2016-5337\", \"CVE-2016-5126\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for qemu USN-3047-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3047-1 fixed vulnerabilities in QEMU.\n The patch to fix CVE-2016-5403 caused a regression which resulted in save/restore\n failures when virtio memory balloon statistics are enabled. This update\n temporarily reverts the security fix for CVE-2016-5403 pending further\n investigation. We apologize for the inconvenience.\n\nOriginal advisory details:\n\nLi Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI\ncontroller emulation. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4439, CVE-2016-4441, CVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the\nVMWare VGA module. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nto obtain sensitive host memory. (CVE-2016-4453, CVE-2016-4454)\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual\nSCSI bus emulation support. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial of service.\nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-4952)\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host\nBus Adapter emulation support. A privileged attacker inside the guest could\nuse this issue to cause QEMU to crash, resulting in a denial of service, or\npossibly to obtain sensitive host memory. This issue only applied to Ubuntu\n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105, CVE-2016-5106,\nCVE-2016-5107, CVE-2016-5337)\nIt was discovered that QEMU incorrectly handled certain iSCSI asynchronous\nI/O ioctl calls. An attacker inside the guest could use this issue to cause\nQEMU to crash, resulting in a denial of service, or possibly execute\narbitrary code on the host. In the default installation, when QEMU is used\nwith libvirt, attackers would be isolated by the libvirt AppArmor profile.\nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-5126)\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A\nprivileged attacker inside the guest could use this issue to cause QEMU to\ncrash, resulting in a denial of service. (CVE-2016-5403)\");\n script_tag(name:\"affected\", value:\"qemu on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3047-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3047-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"2.0.0+dfsg-2ubuntu1.27\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.0+noroms-0ubuntu14.30\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-s390x\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"1:2.5+dfsg-5ubuntu10.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2858", "CVE-2016-4453", "CVE-2016-5338", "CVE-2016-4963", "CVE-2016-5242", "CVE-2016-4962", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4454"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-06-18T00:00:00", "id": "OPENVAS:1361412562310808440", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808440", "type": "openvas", "title": "Fedora Update for xen FEDORA-2016-103752d2a9", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2016-103752d2a9\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808440\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-18 05:26:52 +0200 (Sat, 18 Jun 2016)\");\n script_cve_id(\"CVE-2016-5338\", \"CVE-2016-5337\", \"CVE-2016-2858\", \"CVE-2016-4962\",\n \"CVE-2016-4963\", \"CVE-2016-4454\", \"CVE-2016-4453\", \"CVE-2016-5238\",\n \"CVE-2016-5242\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2016-103752d2a9\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xen on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-103752d2a9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6VLTICLX3FBFIKZAPPUDJEAJ4T7FO43\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.5.3~8.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5403", "CVE-2016-5126"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-08-12T00:00:00", "id": "OPENVAS:1361412562310871651", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871651", "type": "openvas", "title": "RedHat Update for qemu-kvm RHSA-2016:1606-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for qemu-kvm RHSA-2016:1606-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871651\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-12 05:47:07 +0200 (Fri, 12 Aug 2016)\");\n script_cve_id(\"CVE-2016-5126\", \"CVE-2016-5403\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for qemu-kvm RHSA-2016:1606-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu-kvm'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"KVM (Kernel-based Virtual Machine) is a\nfull virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm\npackages provide the user-space component for running virtual machines using KVM.\n\nSecurity Fix(es):\n\n * Quick Emulator(Qemu) built with the Block driver for iSCSI images support\n(virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur\nwhile processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest\ncould use this flaw to crash the Qemu process resulting in DoS or\npotentially leverage it to execute arbitrary code with privileges of the\nQemu process on the host. (CVE-2016-5126)\n\n * Quick emulator(Qemu) built with the virtio framework is vulnerable to an\nunbounded memory allocation issue. It was found that a malicious guest user\ncould submit more requests than the virtqueue size permits. Processing a\nrequest allocates a VirtQueueElement and therefore causes unbounded memory\nallocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting\nCVE-2016-5403.\");\n script_tag(name:\"affected\", value:\"qemu-kvm on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:1606-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-August/msg00028.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"libcacard\", rpm:\"libcacard~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-common\", rpm:\"qemu-kvm-common~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-debuginfo\", rpm:\"qemu-kvm-debuginfo~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~1.5.3~105.el7_2.7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5403", "CVE-2016-5126"], "description": "Check the version of libcacard", "modified": "2019-03-08T00:00:00", "published": "2016-08-13T00:00:00", "id": "OPENVAS:1361412562310882541", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882541", "type": "openvas", "title": "CentOS Update for libcacard CESA-2016:1606 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libcacard CESA-2016:1606 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882541\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-13 05:51:27 +0200 (Sat, 13 Aug 2016)\");\n script_cve_id(\"CVE-2016-5126\", \"CVE-2016-5403\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libcacard CESA-2016:1606 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of libcacard\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"KVM (Kernel-based Virtual Machine) is a\nfull virtualization solution for Linux on AMD64 and Intel 64 systems.\nThe qemu-kvm packages provide the user-space component for running virtual\nmachines using KVM.\n\nSecurity Fix(es):\n\n * Quick Emulator(Qemu) built with the Block driver for iSCSI images support\n(virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur\nwhile processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest\ncould use this flaw to crash the Qemu process resulting in DoS or\npotentially leverage it to execute arbitrary code with privileges of the\nQemu process on the host. (CVE-2016-5126)\n\n * Quick emulator(Qemu) built with the virtio framework is vulnerable to an\nunbounded memory allocation issue. It was found that a malicious guest user\ncould submit more requests than the virtqueue size permits. Processing a\nrequest allocates a VirtQueueElement and therefore causes unbounded memory\nallocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting\nCVE-2016-5403.\");\n script_tag(name:\"affected\", value:\"libcacard on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:1606\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-August/022037.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"libcacard\", rpm:\"libcacard~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libcacard-devel\", rpm:\"libcacard-devel~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libcacard-tools\", rpm:\"libcacard-tools~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-common\", rpm:\"qemu-kvm-common~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~1.5.3~105.el7_2.7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-31T18:34:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5106", "CVE-2016-3158", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-3712", "CVE-2016-6834", "CVE-2016-6835", "CVE-2016-4963", "CVE-2016-3960", "CVE-2016-7092", "CVE-2016-4962", "CVE-2016-4952", "CVE-2016-3710", "CVE-2016-7093", "CVE-2016-4480", "CVE-2016-6258", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-7154", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-7094", "CVE-2016-4037", "CVE-2014-3672", "CVE-2016-6833", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2014-3615", "CVE-2016-3159", "CVE-2016-6888", "CVE-2016-6836"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310851408", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851408", "type": "openvas", "title": "openSUSE: Security Advisory for xen (openSUSE-SU-2016:2497-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851408\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:48:02 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2014-3615\", \"CVE-2014-3672\", \"CVE-2016-3158\", \"CVE-2016-3159\",\n \"CVE-2016-3710\", \"CVE-2016-3712\", \"CVE-2016-3960\", \"CVE-2016-4001\",\n \"CVE-2016-4002\", \"CVE-2016-4020\", \"CVE-2016-4037\", \"CVE-2016-4439\",\n \"CVE-2016-4441\", \"CVE-2016-4453\", \"CVE-2016-4454\", \"CVE-2016-4480\",\n \"CVE-2016-4952\", \"CVE-2016-4962\", \"CVE-2016-4963\", \"CVE-2016-5105\",\n \"CVE-2016-5106\", \"CVE-2016-5107\", \"CVE-2016-5126\", \"CVE-2016-5238\",\n \"CVE-2016-5337\", \"CVE-2016-5338\", \"CVE-2016-5403\", \"CVE-2016-6258\",\n \"CVE-2016-6351\", \"CVE-2016-6833\", \"CVE-2016-6834\", \"CVE-2016-6835\",\n \"CVE-2016-6836\", \"CVE-2016-6888\", \"CVE-2016-7092\", \"CVE-2016-7093\",\n \"CVE-2016-7094\", \"CVE-2016-7154\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for xen (openSUSE-SU-2016:2497-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for xen fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen\n allowed local 32-bit PV guest OS administrators to gain host OS\n privileges via vectors related to L3 recursive pagetables (bsc#995785)\n\n - CVE-2016-7093: Xen allowed local HVM guest OS administrators to\n overwrite hypervisor memory and consequently gain host OS privileges by\n leveraging mishandling of instruction pointer truncation during\n emulation (bsc#995789)\n\n - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS\n administrators on guests running with shadow paging to cause a denial of\n service via a pagetable update (bsc#995792)\n\n - CVE-2016-7154: Use-after-free vulnerability in the FIFO event channel\n code in Xen allowed local guest OS administrators to cause a denial of\n service (host crash) and possibly execute arbitrary code or obtain\n sensitive information via an invalid guest frame number (bsc#997731)\n\n - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information\n leakage. A privileged user inside guest could have used this to leak\n host memory bytes to a guest (boo#994761)\n\n - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3\n device driver. A privileged user inside guest could have used this flaw\n to crash the Qemu instance resulting in DoS (bsc#994772)\n\n - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device\n support. A privileged user inside guest could have used this issue to\n crash the Qemu instance resulting in DoS (boo#994775)\n\n - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support,\n causing an OOB read access (bsc#994625)\n\n - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE\n VMXNET3 NIC device support allowed privileged user inside guest to crash\n the Qemu instance resulting in DoS (bsc#994421)\n\n - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed\n local 32-bit PV guest OS administrators to gain host OS privileges by\n leveraging fast-paths for updating pagetable entries (bsc#988675)\n\n - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU\n allowed local guest OS administrators to cause a denial of service\n (memory consumption and QEMU process crash) by submitting requests\n without waiting for completion (boo#990923)\n\n - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with\n ESP/NCR53C9x controller emulation support, allowed local guest OS\n administrators to cause a denial of service (out-of-bounds write and\n QEMU process cras ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"xen on openSUSE 13.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:2497-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-debugsource\", rpm:\"xen-debugsource~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo\", rpm:\"xen-libs-debuginfo~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU\", rpm:\"xen-tools-domU~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU-debuginfo\", rpm:\"xen-tools-domU-debuginfo~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-doc-html\", rpm:\"xen-doc-html~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.4.4_05_k3.16.7_42~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default-debuginfo\", rpm:\"xen-kmp-default-debuginfo~4.4.4_05_k3.16.7_42~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-desktop\", rpm:\"xen-kmp-desktop~4.4.4_05_k3.16.7_42~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-desktop-debuginfo\", rpm:\"xen-kmp-desktop-debuginfo~4.4.4_05_k3.16.7_42~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-32bit\", rpm:\"xen-libs-32bit~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo-32bit\", rpm:\"xen-libs-debuginfo-32bit~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools\", rpm:\"xen-tools~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-debuginfo\", rpm:\"xen-tools-debuginfo~4.4.4_05~49.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5338", "CVE-2016-5337"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-06-19T00:00:00", "id": "OPENVAS:1361412562310808461", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808461", "type": "openvas", "title": "Fedora Update for xen FEDORA-2016-cf396bc041", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2016-cf396bc041\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808461\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-19 05:26:34 +0200 (Sun, 19 Jun 2016)\");\n script_cve_id(\"CVE-2016-5338\", \"CVE-2016-5337\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2016-cf396bc041\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xen on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-cf396bc041\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C5RHJM3AHLK4MLXZ6GY5NZSUL3O2WBE\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.6.1~12.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:35:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "description": "USN-3047-1 fixed vulnerabilities in QEMU. The patch to fix CVE-2016-5403 \ncaused a regression which resulted in save/restore failures when virtio \nmemory balloon statistics are enabled. This update temporarily reverts the \nsecurity fix for CVE-2016-5403 pending further investigation. We apologize \nfor the inconvenience.\n\nOriginal advisory details:\n\nLi Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI \ncontroller emulation. A privileged attacker inside the guest could use this \nissue to cause QEMU to crash, resulting in a denial of service, or possibly \nexecute arbitrary code on the host. In the default installation, when QEMU \nis used with libvirt, attackers would be isolated by the libvirt AppArmor \nprofile. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-4439, CVE-2016-4441, CVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the \nVMWare VGA module. A privileged attacker inside the guest could use this \nissue to cause QEMU to crash, resulting in a denial of service, or possibly \nto obtain sensitive host memory. (CVE-2016-4453, CVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual \nSCSI bus emulation support. A privileged attacker inside the guest could \nuse this issue to cause QEMU to crash, resulting in a denial of service. \nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host \nBus Adapter emulation support. A privileged attacker inside the guest could \nuse this issue to cause QEMU to crash, resulting in a denial of service, or \npossibly to obtain sensitive host memory. This issue only applied to Ubuntu \n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105, CVE-2016-5106, \nCVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain iSCSI asynchronous \nI/O ioctl calls. An attacker inside the guest could use this issue to cause \nQEMU to crash, resulting in a denial of service, or possibly execute \narbitrary code on the host. In the default installation, when QEMU is used \nwith libvirt, attackers would be isolated by the libvirt AppArmor profile. \nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A \nprivileged attacker inside the guest could use this issue to cause QEMU to \ncrash, resulting in a denial of service. (CVE-2016-5403)", "edition": 5, "modified": "2016-08-12T00:00:00", "published": "2016-08-12T00:00:00", "id": "USN-3047-2", "href": "https://ubuntu.com/security/notices/USN-3047-2", "title": "QEMU regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6351", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-4952", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454"], "description": "Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSI \ncontroller emulation. A privileged attacker inside the guest could use this \nissue to cause QEMU to crash, resulting in a denial of service, or possibly \nexecute arbitrary code on the host. In the default installation, when QEMU \nis used with libvirt, attackers would be isolated by the libvirt AppArmor \nprofile. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-4439, CVE-2016-4441, CVE-2016-5238, CVE-2016-5338, CVE-2016-6351)\n\nLi Qiang and Qinghao Tang discovered that QEMU incorrectly handled the \nVMWare VGA module. A privileged attacker inside the guest could use this \nissue to cause QEMU to crash, resulting in a denial of service, or possibly \nto obtain sensitive host memory. (CVE-2016-4453, CVE-2016-4454)\n\nLi Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual \nSCSI bus emulation support. A privileged attacker inside the guest could \nuse this issue to cause QEMU to crash, resulting in a denial of service. \nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-4952)\n\nLi Qiang discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host \nBus Adapter emulation support. A privileged attacker inside the guest could \nuse this issue to cause QEMU to crash, resulting in a denial of service, or \npossibly to obtain sensitive host memory. This issue only applied to Ubuntu \n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5105, CVE-2016-5106, \nCVE-2016-5107, CVE-2016-5337)\n\nIt was discovered that QEMU incorrectly handled certain iSCSI asynchronous \nI/O ioctl calls. An attacker inside the guest could use this issue to cause \nQEMU to crash, resulting in a denial of service, or possibly execute \narbitrary code on the host. In the default installation, when QEMU is used \nwith libvirt, attackers would be isolated by the libvirt AppArmor profile. \nThis issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-5126)\n\nZhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A \nprivileged attacker inside the guest could use this issue to cause QEMU to \ncrash, resulting in a denial of service. (CVE-2016-5403)", "edition": 5, "modified": "2016-08-04T00:00:00", "published": "2016-08-04T00:00:00", "id": "USN-3047-1", "href": "https://ubuntu.com/security/notices/USN-3047-1", "title": "QEMU vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-26T00:38:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-4453", "CVE-2016-5338", "CVE-2016-5126", "CVE-2016-4441", "CVE-2016-6834", "CVE-2016-7157", "CVE-2016-7422", "CVE-2016-5238", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-2841", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-7116", "CVE-2016-6833", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-4454", "CVE-2016-4964", "CVE-2016-6888", "CVE-2016-6490", "CVE-2016-6836"], "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nMultiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal users within a guest QEMU environment can execute arbitrary code within the host or a cause a Denial of Service condition of the QEMU guest process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.7.0-r2\"", "edition": 1, "modified": "2016-09-25T00:00:00", "published": "2016-09-25T00:00:00", "id": "GLSA-201609-01", "href": "https://security.gentoo.org/glsa/201609-01", "type": "gentoo", "title": "QEMU: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2021-02-02T06:28:11", "description": "hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-7155", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7155"], "modified": "2020-10-15T17:23:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:qemu:qemu:2.7.1"], "id": "CVE-2016-7155", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7155", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:10", "description": "Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-6888", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6888"], "modified": "2020-10-15T17:16:00", "cpe": ["cpe:/a:qemu:qemu:2.7.0", "cpe:/a:redhat:openstack:7.0", "cpe:/a:redhat:openstack:9.0", "cpe:/a:redhat:openstack:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:redhat:openstack:11.0", "cpe:/a:qemu:qemu:2.6.2", "cpe:/a:redhat:openstack:8.0", "cpe:/a:redhat:virtualization:4.0", "cpe:/a:redhat:openstack:10"], "id": "CVE-2016-6888", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6888", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:10", "description": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-6490", "type": "cve", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6490"], "modified": "2020-10-15T19:28:00", "cpe": ["cpe:/a:qemu:qemu:2.7.0", "cpe:/a:qemu:qemu:2.6.2"], "id": "CVE-2016-6490", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6490", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:11", "description": "The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-7156", "type": "cve", "cwe": ["CWE-704"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7156"], "modified": "2020-10-15T17:24:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:qemu:qemu:2.7.1"], "id": "CVE-2016-7156", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7156", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:11", "description": "Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.", "edition": 7, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.0, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-7116", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7116"], "modified": "2020-10-15T17:18:00", "cpe": ["cpe:/a:qemu:qemu:2.7.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:qemu:qemu:2.6.2"], "id": "CVE-2016-7116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7116", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc4:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:10", "description": "Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-12-10T00:59:00", "title": "CVE-2016-6833", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6833"], "modified": "2020-10-15T19:29:00", "cpe": ["cpe:/a:qemu:qemu:2.7.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:qemu:qemu:2.6.2"], "id": "CVE-2016-6833", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6833", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.", "edition": 9, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-08-02T16:59:00", "title": "CVE-2016-5403", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5403"], "modified": "2020-05-14T14:05:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:oracle:linux:6", "cpe:/a:qemu:qemu:2.7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.3", "cpe:/o:oracle:vm_server:3.4", "cpe:/a:redhat:openstack:7.0", "cpe:/a:redhat:openstack:9.0", "cpe:/a:redhat:virtualization:3.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:redhat:openstack:6.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/a:qemu:qemu:2.6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/o:redhat:enterprise_linux_server_eus:7.7", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:redhat:openstack:5.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.2", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/a:redhat:openstack:8.0", "cpe:/o:oracle:linux:5", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_server_tus:7.7", "cpe:/o:redhat:enterprise_linux_server_aus:7.5", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_server_tus:7.3", "cpe:/o:redhat:enterprise_linux_server_aus:7.7", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:oracle:linux:7", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-5403", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5403", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:vm_server:3.4:*:*:*:*:*:x86:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:5:-:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.", "edition": 7, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2016-09-02T14:59:00", "title": "CVE-2016-5105", "type": "cve", "cwe": ["CWE-908"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5105"], "modified": "2020-10-21T20:52:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:qemu:qemu:2.6.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-5105", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5105", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.", "edition": 7, "cvss3": {"exploitabilityScore": 1.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.0, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2016-09-02T14:59:00", "title": "CVE-2016-5106", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5106"], "modified": "2020-10-21T20:49:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:qemu:qemu:2.6.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-5106", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5106", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-06-14T14:59:00", "title": "CVE-2016-5338", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5338"], "modified": "2020-10-15T19:07:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:qemu:qemu:2.6.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-5338", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5338", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:qemu:qemu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"]}], "redhat": [{"lastseen": "2019-08-13T18:44:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(QEMU) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap-based buffer overflow issue. The flaw could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside a guest could exploit this flaw to crash the QEMU process resulting in denial of service, or potentially leverage it to execute arbitrary code with QEMU-process privileges on the host. (CVE-2016-5126)\n\n* Quick Emulator(QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-03-19T16:27:29", "published": "2016-08-24T09:03:47", "id": "RHSA-2016:1756", "href": "https://access.redhat.com/errata/RHSA-2016:1756", "type": "redhat", "title": "(RHSA-2016:1756) Moderate: qemu-kvm-rhev security and bug fix update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:47:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-04-12T03:33:27", "published": "2016-08-11T22:27:05", "id": "RHSA-2016:1606", "href": "https://access.redhat.com/errata/RHSA-2016:1606", "type": "redhat", "title": "(RHSA-2016:1606) Moderate: qemu-kvm security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:44:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-03-19T16:26:43", "published": "2016-08-23T10:04:54", "id": "RHSA-2016:1655", "href": "https://access.redhat.com/errata/RHSA-2016:1655", "type": "redhat", "title": "(RHSA-2016:1655) Moderate: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-03-19T16:27:16", "published": "2016-08-23T10:04:19", "id": "RHSA-2016:1653", "href": "https://access.redhat.com/errata/RHSA-2016:1653", "type": "redhat", "title": "(RHSA-2016:1653) Moderate: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-03-19T16:27:06", "published": "2016-08-23T10:04:24", "id": "RHSA-2016:1654", "href": "https://access.redhat.com/errata/RHSA-2016:1654", "type": "redhat", "title": "(RHSA-2016:1654) Moderate: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:46:56", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-04-25T23:47:41", "published": "2016-08-12T17:57:24", "id": "RHSA-2016:1607", "href": "https://access.redhat.com/errata/RHSA-2016:1607", "type": "redhat", "title": "(RHSA-2016:1607) Moderate: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:45:12", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5126", "CVE-2016-5403"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.\n\nSecurity Fix(es):\n\n* Quick Emulator(QEMU) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap-based buffer overflow issue. The flaw could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside a guest could exploit this flaw to crash the QEMU process resulting in denial of service, or potentially leverage it to execute arbitrary code with QEMU-process privileges on the host. (CVE-2016-5126)\n\n* Quick Emulator(QEMU) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement results in unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.", "modified": "2018-03-19T16:27:42", "published": "2016-08-24T16:57:06", "id": "RHSA-2016:1763", "href": "https://access.redhat.com/errata/RHSA-2016:1763", "type": "redhat", "title": "(RHSA-2016:1763) Moderate: qemu-kvm-rhev security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:28:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5403", "CVE-2016-5126"], "description": "**CentOS Errata and Security Advisory** CESA-2016:1606\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM.\n\nSecurity Fix(es):\n\n* Quick Emulator(Qemu) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap buffer overflow issue. It could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. (CVE-2016-5126)\n\n* Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)\n\nRed Hat would like to thank hongzhenhao (Marvel Team) for reporting CVE-2016-5403.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/034075.html\n\n**Affected packages:**\nlibcacard\nlibcacard-devel\nlibcacard-tools\nqemu-img\nqemu-kvm\nqemu-kvm-common\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1606.html", "edition": 3, "modified": "2016-08-12T11:28:17", "published": "2016-08-12T11:28:17", "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/034075.html", "id": "CESA-2016:1606", "title": "libcacard, qemu security update", "type": "centos", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "debian": [{"lastseen": "2020-08-12T00:58:17", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7156", "CVE-2016-5106", "CVE-2016-2392", "CVE-2016-8577", "CVE-2016-9101", "CVE-2016-2858", "CVE-2016-4453", "CVE-2016-5105", "CVE-2016-5338", "CVE-2018-10839", "CVE-2016-6351", "CVE-2016-7161", "CVE-2016-4441", "CVE-2016-7170", "CVE-2016-6834", "CVE-2016-8578", "CVE-2016-2391", "CVE-2016-9103", "CVE-2016-4952", "CVE-2016-8910", "CVE-2018-17963", "CVE-2016-5238", "CVE-2016-4002", "CVE-2017-10664", "CVE-2016-4020", "CVE-2016-8909", "CVE-2016-7421", "CVE-2016-2841", "CVE-2016-5337", "CVE-2016-4001", "CVE-2016-9104", "CVE-2016-4037", "CVE-2016-7116", "CVE-2016-2857", "CVE-2018-17962", "CVE-2016-4439", "CVE-2016-5107", "CVE-2016-2538", "CVE-2016-4454", "CVE-2016-7155", "CVE-2016-9106", "CVE-2016-9102", "CVE-2016-7909", "CVE-2016-9105", "CVE-2016-6888", "CVE-2016-7908", "CVE-2016-6836"], "description": "Package : qemu\nVersion : 1:2.1+dfsg-12+deb8u8\nCVE ID : CVE-2016-2391 CVE-2016-2392 CVE-2016-2538 CVE-2016-2841\n CVE-2016-2857 CVE-2016-2858 CVE-2016-4001 CVE-2016-4002\n CVE-2016-4020 CVE-2016-4037 CVE-2016-4439 CVE-2016-4441\n CVE-2016-4453 CVE-2016-4454 CVE-2016-4952 CVE-2016-5105\n CVE-2016-5106 CVE-2016-5107 CVE-2016-5238 CVE-2016-5337\n CVE-2016-5338 CVE-2016-6351 CVE-2016-6834 CVE-2016-6836\n CVE-2016-6888 CVE-2016-7116 CVE-2016-7155 CVE-2016-7156\n CVE-2016-7161 CVE-2016-7170 CVE-2016-7421 CVE-2016-7908\n CVE-2016-7909 CVE-2016-8577 CVE-2016-8578 CVE-2016-8909\n CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103\n CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 CVE-2017-10664\n CVE-2018-10839 CVE-2018-17962 CVE-2018-17963\nDebian Bug : 815008 815009 815680 817181 817182 817183 821038 821061\n 821062 822344 824856 825210 825614 825615 825616 826152\n 827024 827026 832621 834902 834905 834944 836502 837174\n 837316 837339 838147 838850 839834 839835 840340 840341\n 841950 841955 842455 866674 910431 911468 911469\n\n\nSeveral vulnerabilities were found in QEMU, a fast processor emulator:\n\nCVE-2016-2391\n\n Zuozhi Fzz discovered that eof_times in USB OHCI emulation support\n could be used to cause a denial of service, via a null pointer\n dereference.\n\nCVE-2016-2392 / CVE-2016-2538\n\n Qinghao Tang found a NULL pointer dereference and multiple integer\n overflows in the USB Net device support that could allow local guest\n OS administrators to cause a denial of service. These issues related\n to remote NDIS control message handling.\n\nCVE-2016-2841\n\n Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC\n emulation support.\n\nCVE-2016-2857\n\n Liu Ling found a flaw in QEMU IP checksum routines. Attackers could\n take advantage of this issue to cause QEMU to crash.\n\nCVE-2016-2858\n\n Arbitrary stack based allocation in the Pseudo Random Number Generator\n (PRNG) back-end support.\n\nCVE-2016-4001 / CVE-2016-4002\n\n Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the\n MIPSnet ethernet controllers emulation. Remote malicious users could\n use these issues to cause QEMU to crash.\n\nCVE-2016-4020\n\n Donghai Zdh reported that QEMU incorrectly handled the access to the\n Task Priority Register (TPR), allowing local guest OS administrators\n to obtain sensitive information from host stack memory.\n\nCVE-2016-4037\n\n Du Shaobo found an infinite loop vulnerability in the USB EHCI\n emulation support.\n\nCVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351\n\n Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller\n (FSC) emulation support, that made it possible for local guest OS\n privileged users to cause denials of service or potentially execute\n arbitrary code.\n\nCVE-2016-4453 / CVE-2016-4454\n\n Li Qiang reported issues in the QEMU VMWare VGA module handling, that\n may be used to cause QEMU to crash, or to obtain host sensitive\n information.\n\nCVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156\n\n Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation\n support. These issues concern an out-of-bounds access and infinite\n loops, that allowed local guest OS privileged users to cause a denial\n of service.\n\nCVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337\n\n Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host\n Bus Adapter emulation support. These issues include stack information\n leakage while reading configuration and out-of-bounds write and read.\n\nCVE-2016-6834\n\n Li Qiang reported an infinite loop vulnerability during packet\n fragmentation in the network transport abstraction layer support.\n Local guest OS privileged users could made use of this flaw to cause a\n denial of service.\n\nCVE-2016-6836 / CVE-2016-6888\n\n Li Qiang found issues in the VMWare VMXNET3 network card emulation\n support, relating to information leak and integer overflow in packet\n initialisation.\n\nCVE-2016-7116\n\n Felix Wilhel discovered a directory traversal flaw in the Plan 9 File\n System (9pfs), exploitable by local guest OS privileged users.\n\nCVE-2016-7155\n\n Tom Victor and Li Qiang reported an out-of-bounds read and an infinite\n loop in the VMware paravirtual SCSI bus emulation support.\n\nCVE-2016-7161\n\n Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite\n emulation support. Privileged users in local guest OS could made use\n of this to cause QEMU to crash.\n\nCVE-2016-7170\n\n Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA\n module, that could be used by privileged user in local guest OS to\n cause QEMU to crash via an out-of-bounds stack memory access.\n\nCVE-2016-7908 / CVE-2016-7909\n\n Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast\n Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.\n These flaws allowed local guest OS administrators to cause a denial of\n service.\n\nCVE-2016-8909\n\n Huawei PSIRT found an infinite loop vulnerability in the Intel HDA\n emulation support, relating to DMA buffer stream processing.\n Privileged users in local guest OS could made use of this to cause a\n denial of service.\n\nCVE-2016-8910\n\n Andrew Henderson reported an infinite loop in the RTL8139 ethernet\n controller emulation support. Privileged users inside a local guest OS\n could made use of this to cause a denial of service.\n\nCVE-2016-9101\n\n Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet\n controller emulation support.\n\nCVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 /\nCVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578\n\n Li Qiang reported various Plan 9 File System (9pfs) security issues,\n including host memory leakage and denial of service.\n\nCVE-2017-10664\n\n Denial of service in the qemu-nbd (QEMU Disk Network Block Device)\n Server.\n\nCVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963\n\n Daniel Shapira reported several integer overflows in the packet\n handling in ethernet controllers emulated by QEMU. These issues could\n lead to denial of service.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1:2.1+dfsg-12+deb8u8.\n\nWe recommend that you upgrade your qemu packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 6, "modified": "2018-11-30T14:28:56", "published": "2018-11-30T14:28:56", "id": "DEBIAN:DLA-1599-1:F7408", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201811/msg00038.html", "title": "[SECURITY] [DLA 1599-1] qemu security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-5105", "CVE-2015-8558", "CVE-2016-3712", "CVE-2016-3710", "CVE-2016-5107"], "description": "- CVE-2015-8558 (denial of service)\n\nAn infinite-loop issue was found in the QEMU emulator built with USB\nEHCI emulation support. The flaw occurred during communication between\nthe host controller interface(EHCI) and a respective device driver.\nThese two communicate using an isochronous transfer descriptor\nlist(iTD); an infinite loop unfolded if there was a closed loop in the\nlist. A privileged user inside a guest could use this flaw to consume\nexcessive resources and cause denial of service.\n\n- CVE-2016-3710 (arbitrary code execution)\n\nAn out-of-bounds read/write access flaw was found in the way QEMU's VGA\nemulation with VESA BIOS Extensions (VBE) support performed read/write\noperations using I/O port methods. A privileged guest user could use\nthis flaw to execute arbitrary code on the host with the privileges of\nthe host's QEMU process.\n\n- CVE-2016-3712 (denial of service)\n\nQemu emulator built with the VGA Emulator support is vulnerable to an\ninteger overflow and OOB read access issues. This occurs because Qemu\nallows certain VGA registers to be set while in VBE mode. A privileged\nguest user could use this flaw to crash the Qemu process instance\nresulting in DoS.\n\n- CVE-2016-5105 (information leakage)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an information leakage issue.\nIt could occur while processing MegaRAID Firmware Interface(MFI) command\nto read device configuration in 'megasas_dcmd_cfg_read'. A privileged\nuser inside guest could use this flaw to leak host memory bytes.\n\n- CVE-2016-5106 (denial of service)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an out-of-bounds write access\nissue. It could occur while processing MegaRAID Firmware Interface(MFI)\ncommand to set controller properties in 'megasas_dcmd_set_properties'.\nA privileged user inside guest could use this flaw to crash the Qemu\nprocess on the host resulting in DoS.\n\n- CVE-2016-5107 (denial of service)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an out-of-bounds read access\nissue. It could occur while looking up MegaRAID Firmware Interface(MFI)\ncommand frames in 'megasas_lookup_frame' routine. A privileged user\ninside guest could use this flaw to read invalid memory leading to crash\nthe Qemu process on the host.", "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "ASA-201606-8", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000643.html", "type": "archlinux", "title": "qemu: multiple issues", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5106", "CVE-2016-5105", "CVE-2015-8558", "CVE-2016-3712", "CVE-2016-3710", "CVE-2016-5107"], "description": "- CVE-2015-8558 (denial of service)\n\nAn infinite-loop issue was found in the QEMU emulator built with USB\nEHCI emulation support. The flaw occurred during communication between\nthe host controller interface(EHCI) and a respective device driver.\nThese two communicate using an isochronous transfer descriptor\nlist(iTD); an infinite loop unfolded if there was a closed loop in the\nlist. A privileged user inside a guest could use this flaw to consume\nexcessive resources and cause denial of service.\n\n- CVE-2016-3710 (arbitrary code execution)\n\nAn out-of-bounds read/write access flaw was found in the way QEMU's VGA\nemulation with VESA BIOS Extensions (VBE) support performed read/write\noperations using I/O port methods. A privileged guest user could use\nthis flaw to execute arbitrary code on the host with the privileges of\nthe host's QEMU process.\n\n- CVE-2016-3712 (denial of service)\n\nQemu emulator built with the VGA Emulator support is vulnerable to an\ninteger overflow and OOB read access issues. This occurs because Qemu\nallows certain VGA registers to be set while in VBE mode. A privileged\nguest user could use this flaw to crash the Qemu process instance\nresulting in DoS.\n\n- CVE-2016-5105 (information leakage)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an information leakage issue.\nIt could occur while processing MegaRAID Firmware Interface(MFI) command\nto read device configuration in 'megasas_dcmd_cfg_read'. A privileged\nuser inside guest could use this flaw to leak host memory bytes.\n\n- CVE-2016-5106 (denial of service)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an out-of-bounds write access\nissue. It could occur while processing MegaRAID Firmware Interface(MFI)\ncommand to set controller properties in 'megasas_dcmd_set_properties'.\nA privileged user inside guest could use this flaw to crash the Qemu\nprocess on the host resulting in DoS.\n\n- CVE-2016-5107 (denial of service)\n\nQuick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus\nAdapter emulation support is vulnerable to an out-of-bounds read access\nissue. It could occur while looking up MegaRAID Firmware Interface(MFI)\ncommand frames in 'megasas_lookup_frame' routine. A privileged user\ninside guest could use this flaw to read invalid memory leading to crash\nthe Qemu process on the host.", "modified": "2016-06-08T00:00:00", "published": "2016-06-08T00:00:00", "id": "ASA-201606-9", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000644.html", "type": "archlinux", "title": "qemu-arch-extra: multiple issues", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:20", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5403", "CVE-2016-5126", "CVE-2016-3712"], "description": "[1.5.3-105.el7_2.7]\n- kvm-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch [bz#1358996]\n- Resolves: bz#1358996\n (CVE-2016-5126 qemu-kvm: Qemu: block: iscsi: buffer overflow in iscsi_aio_ioctl [rhel-7.2.z])\n[1.5.3-105.el7_2.6]\n- kvm-virtio-error-out-if-guest-exceeds-virtqueue-size.patch [bz#1359728]\n- Resolves: bz#1359728\n (EMBARGOED CVE-2016-5403 qemu-kvm: Qemu: virtio: unbounded memory allocation on host via guest leading to DoS [rhel-7.2.z])\n[1.5.3-105.el7_2.5]\n- kvm-vga-add-sr_vbe-register-set.patch [bz#1347527]\n- Resolves: bz#1347527\n (Regression from CVE-2016-3712: windows installer fails to start)", "edition": 4, "modified": "2016-08-11T00:00:00", "published": "2016-08-11T00:00:00", "id": "ELSA-2016-1606", "href": "http://linux.oracle.com/errata/ELSA-2016-1606.html", "title": "qemu-kvm security update", "type": "oraclelinux", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}]}
