Bugzilla – Bug 939709
VUL-0: CVE-2015-5166: XSA-139: xen: Use after free in QEMU/Xen block unplug protocol
Last modified: 2019-10-22 22:38:43 UTC
bugbot adjusting priority
is public Xen Security Advisory CVE-2015-5166 / XSA-139 version 2 Use after free in QEMU/Xen block unplug protocol UPDATES IN VERSION 2 ==================== CVE assigned. Public release. Updated status of the patches. ISSUE DESCRIPTION ================= When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer. IMPACT ====== An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests using the upstream based "qemu-xen" are vulnerable. Systems using the "qemu-xen-traditional" version of the qemu device model, either in a stubdomain or as a domain 0 process, are not vulnerable. Systems running only PV guests are NOT vulnerable. ARM systems are not vulnerable. MITIGATION ========== There is no known mitigation for this issue. CREDITS ======= This issue was discovered by Donghai Zhu of Alibaba. RESOLUTION ========== The attached patches have been proposed as fixes for the issue. However they have not been finalised by upstream. A revised advisory will be issued in the event that the final patches differ from those included here. xsa139-qemuu-unstable.patch qemu-upstream, xen-unstable xsa139-qemuu-4.5.patch qemu-upstream, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa139*.patch dead84667dd4868d0688dc4e62a54a14883e6f0352cf3318b277aa37e27c9261 xsa139-qemuu-unstable.patch 3aa775255053d1d14a3e383998240eb3520aea7de137cdb7624b169db8b06d85 xsa139-qemuu-4.5.patch
SUSE-SU-2015:1384-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 939709,939712 CVE References: CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_10-22.8.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_10-22.8.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_10-22.8.1
SUSE-SU-2015:1404-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 939709,939712 CVE References: CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.2_12-23.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.2_12-23.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.2_12-23.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.2_12-23.1
SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Server 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_12-15.1
SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1
interesting stuff dione
openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845 CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972 Sources used: openSUSE 13.1 (src): xen-4.3.4_06-50.1
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845 CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972 Sources used: openSUSE 13.2 (src): xen-4.4.3_02-30.1
was released