CVE-2016-3710

Name	CVE-2016-3710
Description	The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-539-1, DLA-540-1, DLA-571-1, DSA-3573-1
Debian Bugs	823830

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
qemu (PTS)	bullseye	1:5.2+dfsg-11+deb11u3	fixed
	bullseye (security)	1:5.2+dfsg-11+deb11u2	fixed
	bookworm	1:7.2+dfsg-7+deb12u7	fixed
	sid, trixie	1:9.1.1+ds-5	fixed
xen (PTS)	bullseye	4.14.6-1	fixed
	bullseye (security)	4.14.5+94-ge49571868d-1	fixed
	bookworm	4.17.3+10-g091466ba55-1~deb12u1	fixed
	sid, trixie	4.17.3+36-g54dacb5c02-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
qemu	source	wheezy	1.1.2+dfsg-6a+deb7u13	DLA-540-1
qemu	source	jessie	1:2.1+dfsg-12+deb8u6	DSA-3573-1
qemu	source	(unstable)	1:2.6+dfsg-1		823830
qemu-kvm	source	wheezy	1.1.2+dfsg-6+deb7u13	DLA-539-1
qemu-kvm	source	(unstable)	(unfixed)
xen	source	wheezy	4.1.6.lts1-1	DLA-571-1
xen	source	(unstable)	4.4.0-1

Notes

[wheezy] - xen <no-dsa> (default configuration not vulnerable)
Xen switched to qemu-system in 4.4.0-1
http://xenbits.xen.org/xsa/advisory-179.html
mitigation: run HVM in stubdomains, PV, default video card not vulnerable, i386-only