Bug 386389

Summary:	sys-kernel/xen-sources: Denial of Service (CVE-2010-2070)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	xen
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 16:59:34 UTC

CVE-2010-2070 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2070):
  arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and
  possibly other kernel versions, when running on IA-64 architectures, allows
  local users to cause a denial of service and "turn on BE by modifying the
  user mask of the PSR," as demonstrated via exploitation of CVE-2006-0742.


Please check if our latest xen-sources is still affected by this.
A possible patch might be http://xenbits.xensource.com/hg/xen-4.0-testing.hg/rev/42caadb14edb .

If possible, please add that patch to our latest 2.6.18 kernel. However, my take is that we probably don't want to do that as xen-sources is obsolete nowadays anyways and Xen-4 should be used with the mainline kernels. What are your plans regarding the deprecation and removal of xen-sources?

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2011-10-09 10:32:27 UTC

You are on track re not wanting to do so, or that it is not warranted.
It is ia64, and xen is only keyworded for x86 and amd64.
The preference in xen herd is indeed to depracate the xen kernels soon

Comment 2 Tobias Heinlein (RETIRED) gentoo-dev

2011-10-09 10:52:18 UTC

Oh ok, I didn't check if it was keyworded on ia64 or not. Thanks for the explanation, this can be closed.