Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500530 (CVE-2014-1896) - <app-emulation/xen-tools-{4.2.3-r1,4.3.1-r5} : libvchan failure handling malicious ring indexesXSA-86) (CVE-2014-1896)
Summary: <app-emulation/xen-tools-{4.2.3-r1,4.3.1-r5} : libvchan failure handling mali...
Alias: CVE-2014-1896
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Blocks: CVE-2013-1442
  Show dependency tree
Reported: 2014-02-06 14:56 UTC by Chris Reffett (RETIRED)
Modified: 2014-07-16 16:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett (RETIRED) gentoo-dev Security 2014-02-06 14:56:18 UTC
From ${URL}:


libvchan (a library for inter-domain communication) does not correctly
handle unusual or malicious contents in the xenstore ring.  A
malicious guest can exploit this to cause a libvchan-using facility to
read or write past the end of the ring.


libvchan-using facilities are vulnerable to denial of service and
perhaps privilege escalation.

There are no such services provided in the upstream Xen Project

Patch available at
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-06 14:57:03 UTC
B1 because of possible priv escalation
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2014-02-08 03:49:55 UTC
does major -> fast track going stable?

how about;

+	>=dev-python/stsci-distutils-0.3[${PYTHON_USEDEP}]
+	>=dev-python/d2to1-0.2.5[${PYTHON_USEDEP}]"

 setup_requires=['d2to1>=0.2.5', 'stsci.distutils>=0.3'],
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2014-02-08 08:17:47 UTC
damn bugzy still needs an 'undo that accidental entry func.'!!, wrong bug/tab; sorry for noise of Comment 2.

the stable xen-tools of xen-4.2.2 seems to have developed a bug with a pair of use flags.  This puts adding this sec. patch to it on hold, however it passes fine in xen-tools-4.3.1.

does major -> fast track going stable? therefore pertains only to the xen-tools-4.3.1-r4

*xen-tools-4.3.1-r4 (08 Feb 2014)

  08 Feb 2014; Ian Delaney <> +files/xen-4-CVE-XSA-86.patch,
  revbump; only to 4.3.1 (for now), add sec. patch XSA-86 patch wrt bug #500530
Comment 4 Yixun Lan archtester gentoo-dev 2014-02-13 08:30:10 UTC
*xen-tools-4.3.1-r5 (13 Feb 2014)
*xen-tools-4.2.2-r7 (13 Feb 2014)
    13 Feb 2014; Yixun Lan <> -xen-tools-4.2.2-r6.ebuild,
    +xen-tools-4.2.2-r7.ebuild, -xen-tools-4.3.1-r4.ebuild,
    +xen-tools-4.3.1-r5.ebuild, +files/xen-tools-4-CVE-2014-1950-XSA-88.patch,
    +files/xen-tools-4.2.2-rt-link.patch, files/xenconsoled.initd:
    fix sec bug #500530, #501080, missing -lrt bug #463840, glib deps bug #500604
Comment 5 Yixun Lan archtester gentoo-dev 2014-02-13 08:45:32 UTC
Arches team please stable following ebuilds

x86, amd64:

amd64 only

see also bug #500528
Comment 6 Yixun Lan archtester gentoo-dev 2014-02-13 15:02:54 UTC
(In reply to Yixun Lan from comment #5)
> Arches team please stable following ebuilds
> x86, amd64:
> app-emulation/xen-tools-4.2.2-r7
> amd64 only
> app-emulation/xen-tools-4.3.1-r5
> see also bug #500528

please do not stable 
we found a few security patches are not included, besides there is new 4.2.3 release we'd like to roll out, plus the missing sec patches.

for app-emulation/xen-tools-4.3.1-r5 still good to go, please stable it, thanks
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-02-14 00:00:34 UTC
Arches, please test and mark stable:


Target Keywords: "amd64

When the ebuild is finished for xen-tools-4.2.X please let us know what version to stable for that one.
Comment 8 Yixun Lan archtester gentoo-dev 2014-02-14 10:20:46 UTC
bump to app-emulation/xen-tools-4.2.3, and this revision should fix following security bugs.

but let's still wait a few time before going for stable (say 1 week), so if everything goes well, this version will be stable candidate, thanks

0001-x86-xsave-initialize-extended-register-state-when-gu.patch	# bug #486354,  CVE-2013-1442 / XSA-62
0002-x86-properly-handle-hvm_copy_from_guest_-phys-virt-e.patch	# bug #486354,	CVE-2013-4355 / XSA-63
0003-x86-properly-set-up-fbld-emulation-operand-address.patch	# bug #486354,	CVE-2013-4361 / XSA-66
0004-x86-check-segment-descriptor-read-result-in-64-bit-O.patch	# bug #486354,	CVE-2013-4368 / XSA-67
0005-libxl-fix-vif-rate-parsing.patch				# bug #486354,	CVE-2013-4369 / XSA-68
0006-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_.patch	# bug #486354,	CVE-2013-4370 / XSA-69
0007-libxl-fix-out-of-memory-error-handling-in-libxl_list.patch	# bug #486354,	CVE-2013-4371 / XSA-70
0008-tools-xenstored-if-the-reply-is-too-big-then-send-E2.patch	# bug #486354,	CVE-2013-4416 / XSA-72
0009-gnttab-correct-locking-order-reversal.patch		# bug #486354,	CVE-2013-4494 / XSA-73
0010-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-pe.patch	# bug #486354,	CVE-2013-4551 / XSA-75
0011-VT-d-fix-TLB-flushing-in-dma_pte_clear_one.patch		# bug #486354,	X------------ / XSA-78
0012-x86-restrict-XEN_DOMCTL_getmemlist.patch			# bug #497084,	CVE-2013-4553 / XSA-74
0013-x86-HVM-only-allow-ring-0-guest-code-to-make-hyperca.patch	# bug #497086,	CVE-2013-4554 / XSA-76
0014-x86-AMD-work-around-erratum-793.patch			# bug #486354,	CVE-2013-6885 / XSA-82
0015-x86-eliminate-has_arch_mmios.patch				# bug #xxxxxx,
0016-VMX-disable-EPT-when-cpu_has_vmx_pat.patch			# bug #xxxxxx,	CVE-2013-2212 / XSA-60
0017-VMX-remove-the-problematic-set_uc_mode-logic.patch		# bug #xxxxxx,	CVE-2013-2212 / XSA-60				# bug #xxxxxx,	CVE-2013-2212 / XSA-60
0019-IOMMU-clear-don-t-flush-override-on-error-paths.patch	# bug #497082,	CVE-2013-6400 / XSA-80
0020-x86-PV-don-t-commit-debug-register-values-early-in-a.patch	# bug #xxxxxx,
0021-x86-irq-avoid-use-after-free-on-error-path-in-pirq_g.patch	# bug #499054,  X------------ / XSA-83
0022-x86-PHYSDEVOP_-prepare-release-_msix-are-privileged.patch	# bug #499124,	X------------ / XSA-87
0023-flask-fix-reading-strings-from-guest-memory.patch		# bug #500536,	X------------ / XSA-84
0024-xsm-flask-correct-off-by-one-in-flask_security_avc_c.patch	# bug #500528,	X------------ / XSA-85
0025-libvchan-Fix-handling-of-invalid-ring-buffer-indices.patch	# bug #500530,	X------------ / XSA-86
0026-libxc-Fix-out-of-memory-error-handling-in-xc_cpupool.patch	# bug #501080,	X------------ / XSA-88

# extra patches which not in upstream
0520-xen-qemu-CVE-2013-4375-XSA-71.patch			# bug #486354,  CVE-2013-4375 / XSA-71
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-15 21:18:52 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Yixun Lan archtester gentoo-dev 2014-02-15 23:30:03 UTC
(In reply to Agostino Sarubbo from comment #9)
> amd64 stable.
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

security, we've only sovled the bugs for 4.3.x serial, but haven't done for 4.2.x.

so, either we should wait or explicitly to tell user bugs are solved only for 4.3.1-r5, but not for 4.2.x.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-02-16 19:55:13 UTC
Setting whiteboard to  "stable?" 

Still need to stable version app-emulation/xen-tools-4.2.3

Currently a week long hold for testing.
Will call for stabilization in a few days as per maintainers request.
Comment 12 Yixun Lan archtester gentoo-dev 2014-02-19 03:30:18 UTC
please stable 

also don't forget to stable app-emulation/xen-4.2.3 (see bug #500528)
Comment 13 Agostino Sarubbo gentoo-dev 2014-02-20 10:24:07 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-02-20 10:24:20 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:28:21 UTC
CVE-2014-1896 (
  The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x,
  4.3.x, and 4.4-RC series allows local guests to cause a denial of service or
  possibly gain privileges via crafted xenstore ring indexes, which triggers a
  "read or write past the end of the ring."
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 02:42:16 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:43 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at
by GLSA coordinator Mikle Kolyada (Zlogene).