Summary: | <app-emulation/xen-{4.2.3-r1,4.3.1-r5}: Hypercalls exposed to privilege rings 1 and 2 of HVM guests (XSA-76) (CVE-2013-4554) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Reffett (RETIRED) <creffett> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | idella4, xen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/11/26/9 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=497084 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chris Reffett (RETIRED)
2014-01-05 02:31:23 UTC
CVE-2013-4554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4554): Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. *xen-4.3.1-r3 (06 Jan 2014) *xen-4.3.0-r6 (06 Jan 2014) 06 Jan 2014; Ian Delaney <idella4@gentoo.org> +files/xen-4.3-CVE-2013-4553-XSA-74.patch, +files/xen-CVE-2013-4554-XSA-76.patch, +files/xen-CVE-2013-6400-XSA-80.patch, +xen-4.3.0-r6.ebuild, +xen-4.3.1-r3.ebuild: add new sec patches, revbumps, patches prepared by dlan Maintainers please advise when you are ready for stabilization. (In reply to Yury German from comment #3) > Maintainers please advise when you are ready for stabilization. well we're content for stable any time. Told we need await the 30 days from *xen-4.3.1-r4 (24 Jan 2014) arches please do so any time from when 30 days expires Fixed as part of Bug 500530. Adding to existing GLSA. This issue was resolved and addressed in GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml by GLSA coordinator Mikle Kolyada (Zlogene). |