Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 386389

Summary: sys-kernel/xen-sources: Denial of Service (CVE-2010-2070)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 16:59:34 UTC
CVE-2010-2070 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2070):
  arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and
  possibly other kernel versions, when running on IA-64 architectures, allows
  local users to cause a denial of service and "turn on BE by modifying the
  user mask of the PSR," as demonstrated via exploitation of CVE-2006-0742.


Please check if our latest xen-sources is still affected by this.
A possible patch might be http://xenbits.xensource.com/hg/xen-4.0-testing.hg/rev/42caadb14edb .

If possible, please add that patch to our latest 2.6.18 kernel. However, my take is that we probably don't want to do that as xen-sources is obsolete nowadays anyways and Xen-4 should be used with the mainline kernels. What are your plans regarding the deprecation and removal of xen-sources?
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2011-10-09 10:32:27 UTC
You are on track re not wanting to do so, or that it is not warranted.
It is ia64, and xen is only keyworded for x86 and amd64.
The preference in xen herd is indeed to depracate the xen kernels soon
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-09 10:52:18 UTC
Oh ok, I didn't check if it was keyworded on ia64 or not. Thanks for the explanation, this can be closed.