- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer

dereference in vapic_write()
  CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
  CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref
  in sosendto()
  CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=404

CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch

@@ -0,0 +1,36 @@
+Subject: slirp: udp: fix NULL pointer dereference because of uninitialized socket
+From: Petr Matousek pmatouse@redhat.com Thu Sep 18 08:35:37 2014 +0200
+Date: Tue Sep 23 19:15:05 2014 +0100:
+Git: 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
+
+When guest sends udp packet with source port and source addr 0,
+uninitialized socket is picked up when looking for matching and already
+created udp sockets, and later passed to sosendto() where NULL pointer
+dereference is hit during so->slirp->vnetwork_mask.s_addr access.
+
+Fix this by checking that the socket is not just a socket stub.
+
+This is CVE-2014-3640.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
+Reported-by: Stephane Duverger <stephane.duverger@eads.net>
+Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
+===================================================================
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
+@@ -168,7 +168,7 @@ udp_input(m, iphlen)
+ 	 * Locate pcb for datagram.
+ 	 */
+ 	so = udp_last_so;
+-	if (so->so_lport != uh->uh_sport ||
++	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
+ 	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
+ 		struct socket *tmp;
+ 

CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch

@@ -0,0 +1,54 @@
+Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0
+From: Ronnie Sahlberg ronniesahlberg@gmail.com Tue Jul 31 11:28:26 2012 +1000
+Date: Wed Sep 12 15:50:09 2012 +0200:
+Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109
+
+The START STOP UNIT command will only eject/load media if
+power condition is zero.
+
+If power condition is !0 then LOEJ and START will be ignored.
+
+From MMC (sbc contains similar wordings too)
+  The Power Conditions field requests the block device to be placed
+  in the power condition defined in
+  Table 558. If this field has a value other than 0h then the Start
+  and LoEj bits shall be ignored.
+
+Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 3 Jun 2015 14:17:46 +0200
+Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
+
+The command must be completed on all code paths. START STOP UNIT with
+pwrcnd set should succeed without doing anything.
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ hw/ide/atapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+===================================================================
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+@@ -2098,9 +2098,16 @@ static void ide_atapi_cmd(IDEState *s)
+         break;
+     case GPCMD_START_STOP_UNIT:
+         {
+-            int start, eject;
++            int start, eject, pwrcnd;
+             start = packet[4] & 1;
+             eject = (packet[4] >> 1) & 1;
++            pwrcnd = buf[4] & 0xf0;
++
++            if (pwrcnd) {
++                /* eject/load only happens for power condition == 0 */
++                ide_atapi_cmd_ok(s);
++                return;
++            }
+ 
+             if (eject && !start) {
+                 /* eject the disk */

CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch

@@ -0,0 +1,31 @@
+References: bsc#944697
+
+From: P J P <address@hidden>
+
+While processing transmit descriptors, it could lead to an infinite
+loop if 'bytes' was to become zero; Add a check to avoid it.
+
+[The guest can force 'bytes' to 0 by setting the hdr_len and mss
+descriptor fields to 0.
+--Stefan]
+
+Signed-off-by: P J P <address@hidden>
+Signed-off-by: Stefan Hajnoczi <address@hidden>
+---
+ hw/net/e1000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+===================================================================
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1
+                 memmove(tp->data, tp->header, hdr);
+                 tp->size = hdr;
+             }
+-        } while (split_size -= bytes);
++            split_size -= bytes;
++        } while (bytes && split_size);
+     } else if (!tp->tse && tp->cptse) {
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");

CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch

@@ -0,0 +1,61 @@
+References: bsc#962321 CVE-2016-1922
+
+Subject: i386: avoid null pointer dereference
+From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530
+Date: Fri Jan 15 18:58:01 2016 +0100:
+Git: 4c1396cb576c9b14425558b73de1584c7a9735d7
+
+    Hello,
+
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
+occurs while doing I/O port write operations via hmp interface. In that,
+'current_cpu' remains null as it is not called from cpu_exec loop, which
+results in the said issue.
+
+Below is a proposed (tested)patch to fix this issue; Does it look okay?
+
+===
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 18 Dec 2015 11:16:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+When I/O port write operation is called from hmp interface,
+'current_cpu' remains null, as it is not called from cpu_exec()
+loop. This leads to a null pointer dereference in vapic_write
+routine. Add check to avoid it.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+
+Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
+===================================================================
+--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
++++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+                         unsigned int size)
+ {
+-    CPUState *cs = current_cpu;
+-    X86CPU *cpu = X86_CPU(cs);
+-    CPUX86State *env = &cpu->env;
+-    hwaddr rom_paddr;
+     VAPICROMState *s = opaque;
++    X86CPU *cpu;
++    CPUX86State *env;
++    hwaddr rom_paddr;
++
++    if (!current_cpu) {
++        return;
++    }
+ 
+-    cpu_synchronize_state(cs);
++    cpu_synchronize_state(current_cpu);
++    cpu = X86_CPU(current_cpu);
++    env = &cpu->env;
+ 
+     /*
+      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.

CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch

@@ -68,11 +68,11 @@ Notes:
  hw/net/e1000.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
-Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
 ===================================================================
---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
-+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
-@@ -537,7 +537,8 @@ start_xmit(E1000State *s)
+@@ -538,7 +538,8 @@ start_xmit(E1000State *s)
           * bogus values to TDT/TDLEN.
           * there's nothing too intelligent we could do about this.
           */
@@ -82,7 +82,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
              DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
                     tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
              break;
-@@ -727,7 +728,8 @@ e1000_receive(void *opaque, const uint8_
+@@ -728,7 +729,8 @@ e1000_receive(void *opaque, const uint8_
              s->mac_reg[RDH] = 0;
          s->check_rxov = 1;
          /* see comment in start_xmit; same here */

CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch

@@ -0,0 +1,54 @@
+References: bsc#967101 CVE-2016-2391
+
+From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <address@hidden>
+Date: Tue, 16 Feb 2016 15:15:04 +0100
+Subject: [PATCH] ohci timer fix
+
+Signed-off-by: Gerd Hoffmann <address@hidden>
+---
+ hw/usb/hcd-ohci.c | 31 +++++--------------------------
+ 1 file changed, 5 insertions(+), 26 deletions(-)
+
+Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
+===================================================================
+--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
++++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
+@@ -1139,16 +1139,6 @@ static void ohci_frame_boundary(void *op
+  */
+ static int ohci_bus_start(OHCIState *ohci)
+ {
+-    ohci->eof_timer = qemu_new_timer(vm_clock,
+-                    ohci_frame_boundary,
+-                    ohci);
+-
+-    if (ohci->eof_timer == NULL) {
+-        fprintf(stderr, "usb-ohci: %s: qemu_new_timer failed\n", ohci->name);
+-        /* TODO: Signal unrecoverable error */
+-        return 0;
+-    }
+-
+     dprintf("usb-ohci: %s: USB Operational\n", ohci->name);
+ 
+     ohci_sof(ohci);
+@@ -1159,9 +1149,7 @@ static int ohci_bus_start(OHCIState *ohc
+ /* Stop sending SOF tokens on the bus */
+ static void ohci_bus_stop(OHCIState *ohci)
+ {
+-    if (ohci->eof_timer)
+-        qemu_del_timer(ohci->eof_timer);
+-    ohci->eof_timer = NULL;
++     qemu_del_timer(ohci->eof_timer);
+ }
+ 
+ /* Sets a flag in a port status register but only set it if the port is
+@@ -1654,6 +1642,9 @@ static void usb_ohci_init(OHCIState *ohc
+     ohci->async_td = 0;
+     qemu_register_reset(ohci_reset, ohci);
+     ohci_reset(ohci);
++
++    ohci->eof_timer = qemu_new_timer(QEMU_CLOCK_VIRTUAL,
++                                   ohci_frame_boundary, ohci);
+ }
+ 
+ typedef struct {

CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch

@@ -53,7 +53,17 @@ Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
      return 0;
  }
  
-@@ -1997,23 +1985,13 @@ static bool ohci_eof_timer_needed(void *
+@@ -1949,6 +1937,9 @@ static void usb_ohci_exit(PCIDevice *dev
+     if (!ohci->masterbus) {
+         usb_bus_release(&s->bus);
+     }
++
++    timer_del(s->eof_timer);
++    timer_free(s->eof_timer);
+ }
+ 
+ #define TYPE_SYSBUS_OHCI "sysbus-ohci"
+@@ -1997,23 +1988,13 @@ static bool ohci_eof_timer_needed(void *
  {
      OHCIState *ohci = opaque;
  

qemu-dm-segfault.patch

@@ -41,7 +41,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
  
      if (ret < 0) {
          ide_atapi_io_error(s, ret);
-@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque
+@@ -2375,7 +2378,7 @@ static void cdrom_change_cb(void *opaque
      IDEState *s = opaque;
      uint64_t nb_sectors;
  

xen.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Feb 29 09:40:43 MST 2016 - carnold@suse.com
+
+- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer
+  dereference in vapic_write()
+  CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
+
 -------------------------------------------------------------------
 Wed Feb 24 08:05:02 MST 2016 - carnold@suse.com
 
@@ -20,6 +27,7 @@ Wed Feb 17 08:30:35 MST 2016 - carnold@suse.com
 - bsc#967101 - VUL-0: CVE-2016-2391: xen: usb: multiple eof_timers
   in ohci module leads to null pointer dereference
   CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
+  CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
 - bsc#967090 - VUL-0: CVE-2016-2392: xen: usb: null pointer
   dereference in remote NDIS control message handling
   CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
@@ -84,6 +92,9 @@ Thu Feb  4 09:26:34 MST 2016 - carnold@suse.com
 
 - bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue
   CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
+- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref
+  in sosendto()
+  CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
 
 -------------------------------------------------------------------
 Wed Feb  3 10:47:41 MST 2016 - carnold@suse.com
@@ -450,10 +461,8 @@ Wed Nov  4 10:33:59 MST 2015 - carnold@suse.com
   CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
   CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch
   CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
-  CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
   CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch
   CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
-  CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
   CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
   CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch"
 

xen.spec

@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # needssslcertforbuild
 
 Name:           xen
@@ -224,41 +225,46 @@ Patch255:       0005-e1000-multi-buffer-packet-support.patch
 Patch256:       0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch
 Patch257:       0007-e1000-verify-we-have-buffers-upfront.patch
 Patch258:       0008-e1000-check-buffer-availability.patch
-Patch259:       CVE-2015-4037-qemuu-smb-config-dir-name.patch
+Patch259:       CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
-Patch260:       CVE-2015-4037-qemut-smb-config-dir-name.patch
+Patch260:       CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
-Patch262:       CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
+Patch261:       CVE-2015-4037-qemuu-smb-config-dir-name.patch
-Patch263:       CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
+Patch262:       CVE-2015-4037-qemut-smb-config-dir-name.patch
-Patch264:       CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
+Patch263:       CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
-Patch265:       CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
+Patch264:       CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
-Patch266:       CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
+Patch265:       CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
-Patch267:       CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
+Patch266:       CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
-Patch268:       CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
+Patch267:       CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
-Patch269:       CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
+Patch268:       CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
-Patch270:       CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
+Patch269:       CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
-Patch271:       CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
+Patch270:       CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
-Patch272:       CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
+Patch271:       CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
-Patch273:       CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
+Patch272:       CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
-Patch274:       CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
+Patch273:       CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
-Patch275:       CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
+Patch274:       CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
-Patch276:       CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
+Patch275:       CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
-Patch277:       CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
+Patch276:       CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
-Patch278:       CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
+Patch277:       CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
-Patch279:       CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
+Patch278:       CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
-Patch280:       CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
+Patch279:       CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
-Patch281:       CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
+Patch280:       CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
-Patch282:       CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
+Patch281:       CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
-Patch283:       CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
+Patch282:       CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
-Patch284:       CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
+Patch283:       CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
-Patch285:       CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
+Patch284:       CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
-Patch286:       CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
+Patch285:       CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
-Patch287:       CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
+Patch286:       CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
-Patch288:       CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
+Patch287:       CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
-Patch289:       CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
+Patch288:       CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
-Patch290:       CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
+Patch289:       CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
-Patch291:       CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
+Patch290:       CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
-Patch292:       CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
+Patch291:       CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
-Patch293:       CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
+Patch292:       CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
-Patch294:       CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
+Patch293:       CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
+Patch294:       CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
+Patch295:       CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
+Patch296:       CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
+Patch297:       CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
+Patch298:       CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
 # Our platform specific patches
 Patch321:       xen-destdir.patch
 Patch322:       vif-bridge-no-iptables.patch
@@ -554,6 +560,7 @@ Authors:
 %patch258 -p1
 %patch259 -p1
 %patch260 -p1
+%patch261 -p1
 %patch262 -p1
 %patch263 -p1
 %patch264 -p1
@@ -587,6 +594,10 @@ Authors:
 %patch292 -p1
 %patch293 -p1
 %patch294 -p1
+%patch295 -p1
+%patch296 -p1
+%patch297 -p1
+%patch298 -p1
 # Our platform specific patches
 %patch321 -p1
 %patch322 -p1