Date: Sun, 28 Feb 2016 00:29:10 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r409706 - head/security/vuxml Message-ID: <201602280029.u1S0TAbJ099495@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Sun Feb 28 00:29:10 2016 New Revision: 409706 URL: https://svnweb.freebsd.org/changeset/ports/409706 Log: Document Xen Security Advisories (XSAs 167, 168, 170) Security: CVE-2016-1570 Security: CVE-2016-1571 Security: CVE-2016-2271 Security: https://vuxml.FreeBSD.org/freebsd/7ed7c36f-ddaf-11e5-b2bd-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/80adc394-ddaf-11e5-b2bd-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/81f9d6a4-ddaf-11e5-b2bd-002590263bf5.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Feb 28 00:25:10 2016 (r409705) +++ head/security/vuxml/vuln.xml Sun Feb 28 00:29:10 2016 (r409706) @@ -58,6 +58,112 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="81f9d6a4-ddaf-11e5-b2bd-002590263bf5"> + <topic>xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP</topic> + <affects> + <package> + <name>xen-kernel</name> + <range><lt>4.5.2_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-170.html">; + <p>VMX refuses attempts to enter a guest with an instruction pointer + which doesn't satisfy certain requirements. In particular, the + instruction pointer needs to be canonical when entering a guest + currently in 64-bit mode. This is the case even if the VM entry + information specifies an exception to be injected immediately (in + which case the bad instruction pointer would possibly never get used + for other than pushing onto the exception handler's stack). + Provided the guest OS allows user mode to map the virtual memory + space immediately below the canonical/non-canonical address + boundary, a non-canonical instruction pointer can result even from + normal user mode execution. VM entry failure, however, is fatal to + the guest.</p> + <p>Malicious HVM guest user mode code may be able to crash the + guest.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-2271</cvename> + <url>http://xenbits.xen.org/xsa/advisory-170.html</url>; + </references> + <dates> + <discovery>2016-02-17</discovery> + <entry>2016-02-28</entry> + </dates> + </vuln> + + <vuln vid="80adc394-ddaf-11e5-b2bd-002590263bf5"> + <topic>xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address</topic> + <affects> + <package> + <name>xen-kernel</name> + <range><ge>3.3</ge><lt>4.5.2_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-168.html">; + <p>While INVLPG does not cause a General Protection Fault when used on + a non-canonical address, INVVPID in its "individual address" + variant, which is used to back the intercepted INVLPG in certain + cases, fails in such cases. Failure of INVVPID results in a + hypervisor bug check.</p> + <p>A malicious guest can crash the host, leading to a Denial of + Service.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1571</cvename> + <url>http://xenbits.xen.org/xsa/advisory-168.html</url>; + </references> + <dates> + <discovery>2016-01-20</discovery> + <entry>2016-02-28</entry> + </dates> + </vuln> + + <vuln vid="7ed7c36f-ddaf-11e5-b2bd-002590263bf5"> + <topic>xen-kernel -- PV superpage functionality missing sanity checks</topic> + <affects> + <package> + <name>xen-kernel</name> + <range><eq>3.4.0</eq></range> + <range><eq>3.4.1</eq></range> + <range><ge>4.1</ge><lt>4.5.2_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Xen Project reports:</p> + <blockquote cite="http://xenbits.xen.org/xsa/advisory-167.html">; + <p>The PV superpage functionality lacks certain validity checks on + data being passed to the hypervisor by guests. This is the case + for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and + MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as + well as for various forms of page table updates.</p> + <p>Use of the feature, which is disabled by default, may have unknown + effects, ranging from information leaks through Denial of Service to + privilege escalation.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1570</cvename> + <url>http://xenbits.xen.org/xsa/advisory-167.html</url>; + </references> + <dates> + <discovery>2016-01-20</discovery> + <entry>2016-02-28</entry> + </dates> + </vuln> + <vuln vid="2d299950-ddb0-11e5-8fa8-14dae9d210b8"> <topic>moodle -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602280029.u1S0TAbJ099495>