Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760144 (CVE-2020-28368, CVE-2020-29040, CVE-2020-29479, CVE-2020-29486, CVE-2020-29487, CVE-2020-29566, CVE-2020-29567, CVE-2020-29568, CVE-2020-29569, CVE-2020-29570, CVE-2020-29571)

Summary: <app-emulation/xen-4.13.2-r3: multiple vulnerabilities (XSA-{348..359})
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: hydrapolic, proxy-maint, xen
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/18676
https://github.com/gentoo/gentoo/pull/19330
Whiteboard: B1 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Tomáš Mózes 2020-12-16 09:36:31 UTC
Fixes for XSA-{348..359} (except XSA-355, that was fixed before)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-21 17:49:20 UTC
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-21 18:26:30 UTC
amd64 done

all arches done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 22:39:49 UTC
XSA-348:

A malicious or buggy stubdomain serving a HVM guest can cause Xen to
crash, resulting in a Denial of Service (DoS) to the entire host.

XSA-349:

A malicious guest can trigger an OOM in backends.

XSA-350:

A misbehaving guest can trigger a dom0 crash by continuously
connecting / disconnecting a block frontend. Privileged escalation and
information leak cannot be ruled out.

XSA-351:

An unprivileged guest administrator can sample platform power/energy
data.  This may be used to infer the operations/data used by other
contexts within the system.

The research demonstrates using this sidechannel to leak the AES keys
used elsewhere in the system.

XSA-352:

A malicious guest administrator can cause denial of service, against a
specific guest or against the whole host.

XSA-353:

A guest administrator can deny service to the whole system
simply by deleting the whole of xenstore.

Additionally, depending on other software in use, privilege escalation
may be possible.  With the default "xl" toolstack, a guest
administrator can escalate their privilege to that of the host.

XSA-354:

A buggy or malicious guest can cause unreasonable memory usage in dom0,
resulting in a host denial of service.

XSA-356:

A domain with a passed through PCI device can cause lockup of a
physical CPU, resulting in a Denial of Service (DoS) to the entire
host.

XSA-357:

Seems to be unpublished, got a 404 here: https://xenbits.xenproject.org/xsa/advisory-357.html

XSA-358:

Malicious or buggy guest kernels can mount a Denial of Service (DoS)
attack affecting the entire system.

XSA-359:

Malicious or buggy guest kernels can mount a Denial of Service (DoS)
attack affecting the entire system.


Seems to be a couple vulnerabilities here that will allow escalating into the host, so B1. Please cleanup.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-19 21:36:52 UTC
Ping. Please cleanup
Comment 5 Tomáš Mózes 2021-01-20 09:37:41 UTC
https://github.com/gentoo/gentoo/pull/19128
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-01 23:08:32 UTC
4.13.2-r2 is still vulnerable, right? Seems like cleanup was missed.
Comment 7 Larry the Git Cow gentoo-dev 2021-02-04 22:27:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=307e92ec30fa21aafd600f9788a23d6cb759c357

commit 307e92ec30fa21aafd600f9788a23d6cb759c357
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-02-04 19:08:56 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-02-04 22:23:39 +0000

    app-emulation/xen: drop vulnerable
    
    Bug: https://bugs.gentoo.org/766474
    Bug: https://bugs.gentoo.org/760144
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-emulation/xen/Manifest             |   4 -
 app-emulation/xen/xen-4.13.2-r2.ebuild | 165 ---------------------------------
 app-emulation/xen/xen-4.13.2-r3.ebuild | 165 ---------------------------------
 app-emulation/xen/xen-4.14.0-r7.ebuild | 165 ---------------------------------
 4 files changed, 499 deletions(-)
Comment 8 NATTkA bot gentoo-dev 2021-02-04 22:29:01 UTC
Unable to check for sanity:

> no match for package: app-emulation/xen-4.13.2-r3
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-06 02:51:35 UTC
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-12 02:50:50 UTC
This issue was resolved and addressed in
 GLSA 202107-30 at https://security.gentoo.org/glsa/202107-30
by GLSA coordinator Sam James (sam_c).