Summary: | <app-emulation/xen-tools-{4.2.5-r3,4.3.3-r5,4.4.1-r7,4.5.0-r2}: HVM qemu unexpectedly enabling emulated VGA graphics backends (XSA-119) (CVE-2015-2152) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Yixun Lan <dlan> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | xen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://xenbits.xen.org/xsa/advisory-119.html | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Yixun Lan
2015-03-14 13:11:38 UTC
+*xen-tools-4.5.0-r2 (14 Mar 2015) +*xen-tools-4.4.1-r7 (14 Mar 2015) +*xen-tools-4.3.3-r5 (14 Mar 2015) +*xen-tools-4.2.5-r3 (14 Mar 2015) + + 14 Mar 2015; Yixun Lan <dlan@gentoo.org> -xen-tools-4.2.5-r1.ebuild, + +xen-tools-4.2.5-r3.ebuild, -xen-tools-4.3.3-r1.ebuild, + -xen-tools-4.3.3-r3.ebuild, -xen-tools-4.3.3-r4.ebuild, + +xen-tools-4.3.3-r5.ebuild, -xen-tools-4.4.1-r3.ebuild, + +xen-tools-4.4.1-r7.ebuild, -xen-tools-4.5.0-r1.ebuild, + +xen-tools-4.5.0-r2.ebuild: + security bump, fix XSA-119 Arches, please test and mark stable: =app-emulation/xen-tools-4.2.5-r3 Target keywords Both : "amd64 x86" =app-emulation/xen-tools-4.4.1-r7 Target keywords Only: "amd64" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work. First Vote: Yes Added to existing GLSA request CVE-2015-2152 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2152): Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support. Maintainer(s), Thank you for you for cleanup. This issue was resolved and addressed in GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04 by GLSA coordinator Yury German (BlueKnight). |