Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500528 - <app-emulation/xen-{4.2.3,4.3.1-r5}: Off-by-one error in FLASK_AVC_CACHESTAT (XSA-85) (CVE-2014-1895)
Summary: <app-emulation/xen-{4.2.3,4.3.1-r5}: Off-by-one error in FLASK_AVC_CACHESTAT ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q1/263
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-06 14:52 UTC by Chris Reffett (RETIRED)
Modified: 2014-07-16 16:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett (RETIRED) gentoo-dev Security 2014-02-06 14:52:41 UTC
From ${URL}:

ISSUE DESCRIPTION
=================

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu
statistics on the Flask security policy, incorrectly validates the
CPU for which statistics are being requested.

IMPACT
======

An attacker can cause the hypervisor to read past the end of an
array. This may result in either a host crash, leading to a denial of
service, or access to a small and static region of hypervisor memory,
leading to an information leak.

Patch available at http://xenbits.xenproject.org/xsa/advisory-85.html
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-02-07 09:42:13 UTC
this bug could have / should have been combined with 500536.
They both patch the common file flask_op.c.

*xen-4.3.1-r5 (07 Feb 2014)
*xen-4.2.2-r4 (07 Feb 2014)

  07 Feb 2014; Ian Delaney <idella4@gentoo.org>
  +files/xen-4.3-CVE-2014-263-XSA-84-85.patch, +xen-4.2.2-r4.ebuild,
  +xen-4.3.1-r5.ebuild, -xen-4.2.2-r3.ebuild, -xen-4.3.1-r4.ebuild:
  revbumps; Sec patches XSA 84, 85 added wrt Sec. Bugs #500536, 500528, rm old
Comment 2 Yixun Lan gentoo-dev 2014-02-13 08:44:29 UTC
Arches team please stable following ebuilds

x86, amd64:
app-emulation/xen-4.2.2-r4

amd64 only
app-emulation/xen-4.3.1-r5
Comment 3 Yixun Lan gentoo-dev 2014-02-13 15:04:02 UTC
(In reply to Yixun Lan from comment #2)
> Arches team please stable following ebuilds
> 
> x86, amd64:
> app-emulation/xen-4.2.2-r4
> 
> amd64 only
> app-emulation/xen-4.3.1-r5

please do not stable 
    xen-4.2.2-r4
we found a few security patches are not included, besides there is new 4.2.3 release we'd like to roll out and plus the missing sec patches.

for app-emulation/xen-4.3.1-r5 still good to go, please stable it, thanks

also see bug #500530
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-02-13 23:53:46 UTC
Ok so that we do not call for stabilization on both bugs I am just going to set the dependency on bug 500530 since it has a higher whiteboard priority.
Comment 5 Yixun Lan gentoo-dev 2014-02-14 10:23:16 UTC
bump to xen-4.2.3, see bug #500530 for more info. and if everything goes well this version will be stable candidate for 4.2.x branch. thanks.
Comment 6 Yixun Lan gentoo-dev 2014-02-15 23:20:28 UTC
request to stable app-emulation/xen-4.3.1-r5, for amd64 only, since I've seen xen-tools-4.3.1-r5 already goes stable, and we should really stable them together.

and please do *not* close the bug at the moment, since we still need to handle for version 4.2.x serial (probably 4.2.3, but we will see).
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-16 06:40:27 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-02-16 20:00:13 UTC
Setting whiteboard to  "stable?" 

Still need to stable version app-emulation/xen-4.2.x

Please advise when ready to stabilize 4.2.X and what version to stable.
Comment 9 Yixun Lan gentoo-dev 2014-02-19 03:31:16 UTC
please stable 
    app-emulation/xen-4.2.3

also stable app-emulation/xen-tools-4.2.3-r1 (see bug #500530)
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2014-02-19 15:45:44 UTC
To complete the set, please add on the oft' forgotten xen-pvgrub-4.2.3.
This will clear the patch to purge 4.2.2.
Thanks.
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-20 10:25:17 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-02-20 10:25:31 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:26:43 UTC
CVE-2014-1895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1895):
  Off-by-one error in the flask_security_avc_cachestats function in
  xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of
  physical CPUs are in use, allows local users to cause a denial of service
  (host crash) or obtain sensitive information from hypervisor memory by
  leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer
  over-read.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 02:49:33 UTC
Multiple vulnerabilities as part of Xen, Xen-tools reclassifying as B2 (based on vulnerabilities described in Bug 500530).

Adding to existing GLSA
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:42 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).