Bug 983984 - VUL-0: CVE-2016-5338: xen: qemu: scsi: esp: OOB r/w access while processing ESP_FIFO
VUL-0: CVE-2016-5338: xen: qemu: scsi: esp: OOB r/w access while processing E...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/169923/
CVSSv2:SUSE:CVE-2016-5338:3.5:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-09 13:41 UTC by Marcus Meissner
Modified: 2021-01-21 18:29 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-09 13:41:17 UTC
code seems to be in all xen versions


+++ This bug was initially created as a clone of Bug #983982 +++

From: P J P <ppandit () redhat com>
Date: Tue, 7 Jun 2016 12:50:04 +0530 (IST)

  Hello,

Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support is vulnerable to an OOB r/w access issue. The controller uses 16-byte FIFO buffer the information transfer. The OOB r/w occurs while reading/writing to this buffer in esp_reg_read() and esp_reg_write() routines.


A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host.


Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01507.html

Reference:
----------
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1343323

This issue was independently discovered and reported by Li Qiang of 360.cn Inc and Security Team at Huawei Inc.



Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F





References:
https://bugzilla.redhat.com/show_bug.cgi?id=1343323
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5338
http://seclists.org/oss-sec/2016/q2/505
Comment 1 Swamp Workflow Management 2016-06-09 22:01:25 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2016-08-17 16:17:03 UTC
SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1
Comment 4 Swamp Workflow Management 2016-08-18 16:18:56 UTC
SUSE-SU-2016:2100-1: An update that solves 26 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 954872,955399,957986,958848,961600,963161,964427,967630,973188,974038,974912,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,985503,986586,988675,989235,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_07-37.1
Comment 5 Swamp Workflow Management 2016-09-29 16:21:13 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-10-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63075
Comment 6 Charles Arnold 2016-10-03 17:33:46 UTC
Submitted for,

SLE10-SP3
SLE10-SP4
SLE-11-SP1
SLE-11-SP2
SLE-11-SP3
SLE-11-SP4
SLE-12
SLE-12-SP1
Comment 7 Swamp Workflow Management 2016-10-11 17:16:28 UTC
openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2
Comment 8 Swamp Workflow Management 2016-10-11 17:27:37 UTC
openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1
Comment 9 Swamp Workflow Management 2016-10-13 18:10:26 UTC
SUSE-SU-2016:2528-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 973188,974038,975130,975138,978164,978295,980716,980724,981264,982960,983984,988675,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-6258,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-29.1
Comment 10 Swamp Workflow Management 2016-10-13 19:16:45 UTC
SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2
Comment 11 Swamp Workflow Management 2016-11-04 14:15:04 UTC
SUSE-SU-2016:2725-1: An update that solves 21 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 954872,961600,963161,973188,973631,974038,975130,975138,976470,978164,978295,978413,980716,980724,981264,982224,982225,982960,983984,985503,988675,990843,990923,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-27.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-27.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-27.1
Comment 12 Marcus Meissner 2016-12-22 11:57:12 UTC
released