File _patchinfo of Package patchinfo.4684
<patchinfo incident="4684">
<issue id="1028655" tracker="bnc">VUL-0: CVE-2016-9603: xen: Cirrus VGA Heap overflow via display refresh (XSA-211)</issue>
<issue id="1029827" tracker="bnc">Forward port xenstored</issue>
<issue id="1034994" tracker="bnc">VUL-0: CVE-2017-7718: xen: qemu: display: cirrus: OOB read access issue</issue>
<issue id="1036146" tracker="bnc">L3: sles12sp2 xen VM dumps core to wrong path</issue>
<issue id="1022703" tracker="bnc">Xen HVM guest with OVMF hangs with unattached CDRom</issue>
<issue id="1030144" tracker="bnc">VUL-0: xen: xenstore denial of service via repeated update (XSA-206)</issue>
<issue id="1034844" tracker="bnc">VUL-0: EMBARGOED: xen: grant transfer allows PV guest to elevate privileges (XSA-214)</issue>
<issue id="1034843" tracker="bnc">VUL-0: EMBARGOED: xen: x86: 64bit PV guest breakout via pagetable use-after-mode-change (XSA-213)</issue>
<issue id="2016-9603" tracker="cve" />
<issue id="2017-7718" tracker="cve" />
<category>security</category>
<rating>important</rating>
<packager>charlesa</packager>
<description>
This update for xen fixes several issues.
These security issues were fixed:
- A malicious 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks by placing a IRET hypercall in the middle of a multicall batch (XSA-213, bsc#1034843)
- A malicious pair of guests may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks because of a missing check when transfering pages via GNTTABOP_transfer (XSA-214, bsc#1034844).
- CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034994).
- CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655)
These non-security issues were fixed:
- bsc#1029827: Additional xenstore patch
- bsc#1036146: Xen VM dumped core to wrong path
- bsc#1022703: Prevent Xen HVM guest with OVMF to hang with unattached CDRom
</description>
<summary>Security update for xen</summary>
</patchinfo>