Petr Matousek

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Linux (affected versions not specified) **Description** The issue is related to the Bluetooth stack implementation in the Linux kernel, which allows access to data without type control. This can be exploited by a remote attacker to cause a denial of service or potentially execute arbitrary code on the system. The vulnerability can be triggered by sending a specially crafted L2CAP packet. The threat from this issue is to confidentiality, integrity, and system availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** linux package versions prior to 3.2.73-2+deb7u3 linux package versions prior to 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 **Description** The issue is related to the `pipe read` and `pipe write` implementations in `fs/pipe.c` in certain Linux kernel backports. It allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application. This is due to the improper consideration of side effects from failed ` copy to user inatomic` and ` copy from user inatomic` calls, leading to an "I/O vector array overrun." **Recommendations** For linux package versions prior to 3.2.73-2+deb7u3, update to version 3.2.73-2+deb7u3 or later to resolve the issue. For linux package versions prior to 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1, update to version 3.10.0-229.26.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.1.6 **Description** The issue is related to the mishandling of IRET faults in processing NMIs that occurred during userspace execution on the x86 64 platform. This might allow local users to gain privileges by triggering an NMI. **Recommendations** For Linux kernel versions prior to 4.1.6, update to version 4.1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.17.2 **Description** The issue arises from a miscalculation in the number of pages by the `kvm iommu map pages` function during the handling of a mapping failure, allowing guest OS users with privileges to cause a denial of service, specifically host OS page unpinning, or potentially have other unspecified impacts. **Recommendations** For Linux kernel versions through 3.17.2, update to a version that includes the correct fix for this issue to prevent potential denial of service or other impacts.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.16 **Description** The issue is related to the pipe read and pipe write implementations in fs/pipe.c, which do not properly handle the side effects of failed copy to user inatomic and copy from user inatomic calls. This can allow local users to cause a denial of service, potentially leading to a system crash, or possibly gain privileges via a crafted application. The problem is described as an "I/O vector array overrun." **Recommendations** For Linux kernel versions prior to 3.16, update to version 3.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the pipe read and pipe write functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU version 1.6.0 **Description** The issue is related to the `vmstate xhci event` in `hw/usb/hcd-xhci.c`, which does not properly terminate the list with the `VMSTATE END OF LIST` macro. This allows attackers to cause a denial of service, including out-of-bounds access, infinite loop, and memory corruption, and possibly gain privileges via unspecified vectors. **Recommendations** For QEMU version 1.6.0, consider updating to a newer version that includes the fix for this issue, as the current version does not properly terminate the list, leading to potential security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists, allowing remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in `cpreg vmstate array len` in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/ide/ahci.c file. This can be exploited by remote attackers to cause a denial of service and potentially execute arbitrary code, specifically through vectors related to migrating ports. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists in the scoop gpio handler update function. This could potentially allow remote attackers to execute arbitrary code by providing a large value for `prev level`, `gpio level`, or `gpio dir` in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to multiple buffer overflows in the `tsc210x load` function, which might allow remote attackers to execute arbitrary code. This can be achieved by crafting specific values in a savevm image, including `precision`, `nextprecision`, `function`, or `nextfunction`. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists, allowing remote attackers to cause a denial of service or possibly execute arbitrary code. This issue is related to vectors involving IRQDest elements in the hw/intc/openpic.c file. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists in the pxa2xx ssp load function, located in hw/arm/pxa2xx.c, which can be triggered by a crafted s->rx level value in a savevm image. This can lead to a denial of service or potentially allow remote attackers to execute arbitrary code. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to savevm images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/ssi/pl022.c file, which can be triggered by remote attackers sending crafted `tx fifo head` and `rx fifo head` values in a savevm image. This can cause a denial of service or potentially allow the execution of arbitrary code. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to savevm images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to multiple buffer overflows in the `ssd0323 load` function, which can be triggered by crafted values in a savevm image, including `cmd len`, `row`, `col`, `row start`, `row end`, `col start`, and `col end`. This can cause a denial of service due to memory corruption or possibly allow the execution of arbitrary code. **Recommendations** For QEMU versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue allows remote attackers to execute arbitrary code via a crafted `arglen` value in a savevm image. This is related to the `ssi sd transfer` function in `hw/sd/ssi-sd.c`. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Virtualization (RHEV) version 3.2 **Description** The issue is related to an unquoted Windows search path vulnerability in the SPICE service. This allows local users to gain privileges by using a crafted application in an unspecified folder. **Recommendations** For Red Hat Enterprise Virtualization (RHEV) version 3.2, consider applying configuration changes to the SPICE service to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.7.2 **Description** The issue is related to a buffer overflow in the ` nfs4 get acl uncached` function, which can cause a denial of service, resulting in memory corruption and system crash. It may also have other unspecified impacts. This occurs when a local user makes a getxattr system call for the `system.nfs4 acl` extended attribute of a pathname on an NFSv4 filesystem. **Recommendations** For Linux kernel versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ` nfs4 get acl uncached` function or limiting the use of the getxattr system call for the `system.nfs4 acl` extended attribute on NFSv4 filesystems until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libvirt versions 0.10.2.7, 1.0.5.5, and 1.1.1 **Description** The issue arises from the virSecurityManagerSetProcessLabel function in libvirt, which fails to properly set group memberships when the domain has read an uid:gid label. This allows local users to gain privileges. **Recommendations** For libvirt version 0.10.2.7, update to a version that fixes the issue with the virSecurityManagerSetProcessLabel function. For libvirt version 1.0.5.5, update to a version that fixes the issue with the virSecurityManagerSetProcessLabel function. For libvirt version 1.1.1, update to a version that fixes the issue with the virSecurityManagerSetProcessLabel function.

**Name of the Vulnerable Software and Affected Versions** libvirt version 1.1.1 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in memory corruption and crash. This is achieved through vectors involving the `virConnectListDefinedDomains` API function, specifically targeting the `xenDaemonListDefinedDomains` function in `xen/xend internal.c`. **Recommendations** For libvirt version 1.1.1, consider restricting access to the `virConnectListDefinedDomains` API function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.10.3 **Description** A use-after-free issue in the `vhost net set backend` function allows local users to cause a denial of service, resulting in an OOPS and system crash, via vectors involving powering on a virtual machine. **Recommendations** For versions prior to 3.10.3, update to version 3.10.3 or later to resolve the issue.