FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol

Affected packages
qemu <= 0.11.1_20
0.12 <= qemu <= 2.3.0_2
qemu-devel <= 0.11.1_20
0.12 <= qemu-devel <= 2.3.0_2
qemu-sbruno < 2.4.50.g20150814
qemu-user-static < 2.4.50.g20150814
xen-tools < 4.5.1

Details

VuXML ID ee99899d-4347-11e5-93ad-002590263bf5
Discovery 2015-08-03
Entry 2015-08-17
Modified 2015-08-19

The Xen Project reports:

When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.

An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.

References

CVE Name CVE-2015-5166
URL http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52
URL http://xenbits.xen.org/xsa/advisory-139.html