-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2151 / XSA-123
                              version 4

         Hypervisor memory corruption due to x86 emulator flaw

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Instructions with register operands ignore eventual segment overrides
encoded for them. Due to an insufficiently conditional assignment such
a bogus segment override can, however, corrupt a pointer used
subsequently to store the result of the instruction.

IMPACT
======

A malicious guest might be able to read sensitive data relating to
other guests, or to cause denial of service on the host. Arbitrary code
execution, and therefore privilege escalation, cannot be excluded.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Felix Wilhelm of ERNW GmbH.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa123.patch                 xen-unstable, Xen 4.5.x, Xen 4.4.x
xsa123-4.3-4.2.patch         Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa123*.patch
e6da3a2c35b50e163b15100ef28a48dca429160104f346fc82be4711fe60f64f  xsa123-4.3-4.2.patch
994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df  xsa123.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJU/tzZAAoJEIP+FMlX6CvZV64IAJOsaNqXoLZQ0sAdfJpE6lnv
KtYzXixzTTrP87cWmkYfkLTcuQdMJKUNe00xRoEP2ES1I2XUC4dy9MrlaTpHOJ27
hZ1OpDkiOOk6B8Scf1PI6pvXZXzpnoQITPRhxUgPawIBrtPW/OP8pdUbTeGsw3MJ
hUjixTBT+Ok2Geq1U/Ki+aNe+lnLOjkuivH2nkZGsWYrRAm7Uypmtn9obQzZ4piB
OGDAsuHSXtOPGgmtztj+NW8PJ+6oURkBi0ITtc12lUwJodQV9OIOsvqD3d+HW6OC
4K1gkSor+coTS6jmoU2YU1UnPBMy4irgmg1XojwWZb+FC7lHQDD24wMSs1LVJ7c=
=E2Oh
-----END PGP SIGNATURE-----