CVE-2015-2152

Vulnerability Description

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.htmlThird Party Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.htmlThird Party Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.htmlThird Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
• http://www.securityfocus.com/bid/73068
• http://www.securitytracker.com/id/1031806Third Party AdvisoryVDB Entry
• http://www.securitytracker.com/id/1031919Third Party AdvisoryVDB Entry
• http://xenbits.xen.org/xsa/advisory-119.htmlPatchVendor Advisory
• https://security.gentoo.org/glsa/201504-04
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.htmlThird Party Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.htmlThird Party Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.htmlThird Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
• http://www.securityfocus.com/bid/73068
• http://www.securitytracker.com/id/1031806Third Party AdvisoryVDB Entry