Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 420875 (CVE-2012-0217) - <app-emulation/xen-4.2: Multiple vulnerabilities (CVE-2012-{0217,0218,2934,3432,3433})
Summary: <app-emulation/xen-4.2: Multiple vulnerabilities (CVE-2012-{0217,0218,2934,34...
Status: RESOLVED FIXED
Alias: CVE-2012-0217
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 2 votes (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/49381/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-12 18:57 UTC by Agostino Sarubbo
Modified: 2013-10-06 15:31 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-06-12 18:57:47 UTC
From secunia security advisory at $URL and from the upstream advisory:

http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00003.html


Description
Two vulnerabilities have been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and gain escalated privileges.

1) An error when handling certain system calls can be exploited to gain additional privileges.

Successful exploitation of this vulnerability requires a 64-bit PV guest kernel running on a 64-bit hypervisor.

2) An error when handling exceptions does not properly clear a flag, which can be exploited to cause a crash.

Note: This vulnerability does not affect HVM guests.

The vulnerabilities are reported in versions 3.4, 4.0, and 4.1.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-08-11 13:16:23 UTC
CVE-2012-0217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217):
  The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as
  used in Citrix XenServer 6.0.2 and earlier and other products; Oracle
  Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before
  20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and
  earlier; and Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold
  and SP1, when running on an Intel processor, incorrectly uses the sysret
  path in cases where a certain address is not a canonical address, which
  allows local users to gain privileges via a crafted application.  NOTE: this
  description clearly does not belong in CVE, because a single entry cannot be
  about independent codebases; however, there was some value in preserving the
  original mapping of the multi-codebase coordinated-disclosure effort to a
  single identifier.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-11 13:22:13 UTC
These are now fixed in Xen 4.1.3.

http://lists.xen.org/archives/html/xen-announce/2012-08/msg00001.html

Maintainers, please bump.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 20:10:02 UTC
Maintainers: ping

Please bump for this bug and bug 440768.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-12-04 22:05:43 UTC
CVE-2012-3432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432):
  The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations
  emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly
  reset certain state information between emulation cycles, which allows local
  guest OS users to cause a denial of service (guest OS crash) via unspecified
  operations on MMIO regions.

CVE-2012-2934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934):
  Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does
  not properly protect against a certain AMD processor bug, which allows local
  guest OS users to cause a denial of service (host hang) via sequential
  execution of instructions across a non-canonical boundary, a different
  vulnerability than CVE-2012-0217.

CVE-2012-0218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218):
  Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a
  syscall or sysenter instruction, does not properly clear a flag for
  exception injection when injecting a General Protection Fault, which allows
  local PV guest OS users to cause a denial of service (guest crash) by later
  triggering an exception that would normally be handled within Xen.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2013-01-23 13:52:23 UTC
well I bumped the xens to 4.2 1st. week of December
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 00:23:16 UTC
4.2 stable. Added to GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 00:28:59 UTC
This issue was resolved and addressed in
 GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml
by GLSA coordinator Chris Reffett (creffett).