From ${URL} : Xen Security Advisory CVE-2015-3456 / XSA-133 version 2 Privilege escalation via emulated floppy disk drive UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The code in qemu which emulates a floppy disk controller did not correctly bounds check accesses to an array and therefore was vulnerable to a buffer overflow attack. IMPACT ====== A guest which has access to an emulated floppy device can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains are vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional "qemu-xen" or upstream qemu device models are vulnerable. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain. Systems running only x86 PV guests are not vulnerable. ARM systems are not vulnerable. MITIGATION ========== Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with the traditional "qemu-xen" version. CREDITS ======= This issue was discovered by Jason Geffner, Senior Security Researcher at CrowdStrike. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa133-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa133-qemuu-4.3-4.2.patch qemu-upstream-unstable, Xen 4.3.x, Xen 4.2.x xsa133-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*** This bug has been marked as a duplicate of bug 549200 ***