Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513832 - app-emulation/xen: unexpected pitfall in xenaccess API (XSA-99)
Summary: app-emulation/xen: unexpected pitfall in xenaccess API (XSA-99)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2014-06-19 09:44 UTC by Agostino Sarubbo
Modified: 2016-04-05 06:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-19 09:44:11 UTC
From ${URL} :

                    Xen Security Advisory XSA-99
                             version 2

                 unexpected pitfall in xenaccess API


Public Release.

Added note regarding CVE.


A test/example program, for exercising the Xen memaccess API, does not
take all necessary precautions against hostile guest behaviour.

As a result, software developers using it as an example or template
might have written and deployed vulnerable code.

See the patch for technical details of the problem.


Deployments of software inspired by, or derived from,
xen.git/tools/tests/xen-access/xen-access.c, may be vulnerable to
privilege escalation by a malicious guest administrator.

xen-access is a test/example program and is not, without modification,
useful in production.  It is not built or installed by default.


Unmodified Xen installations (including installations as provided by
typical Free Software distributions) are not vulnerable.

The following toolstacks/libraries do not use memaccess, so systems
using Xen only via the following are not vulnerable:
    libxl; xl; xend; xm; libvirt

In general, Xen installations which make no use of the Xen memory
access API (xc_mem_access_..., "XENMEM_access_...",

Systems using the Xen hypervisor 4.1 or earlier are not vulnerable.
ARM systems are not vulnerable.  AMD systems are not vulnerable.
Intel x86 systems without EPT are not vulnerable.

Software developers who have based their efforts on xen-access.c may
have constructed vulnerable systems.  Such developers should examine
their software, and communicate with their own downstreams, as

Users of Xen-derived systems, whose vulnerability is not excluded
above, should consult their vendor for information about the
applicability of this vulnerability.


Disabling whatever functionality uses the memaccess API will avoid the


The CVE assignment team at the MITRE CVE Numbering Authority have told
us that type of issue is typically considered site-specific and is not
eligible for a CVE ID:

 The scope of CVE does not include issues where a vulnerable program
 can be present after a customer modifies shipped source code or
 modifies the build process. The primary purpose of this guideline is
 to avoid CVE assignments where, for example, the vulnerability exists
 only when a customer enables experimental code and then recompiles. A
 secondary purpose of this guideline is to avoid CVE assignments for
 example code that wasn't intended to be used as-is.

Software developers who have based production code on xen-access.c
should obtain their own CVE number(s).


This vulnerability was discovered by Ian Campbell of Citrix.


The attached patch repairs the test/example utility provided in the
Xen Project source tree.

To resolve the issue in production software, appropriate changes
will have to be be made by its developers.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-03-12 11:02:52 UTC
Not eligible for a CVE.  Added to an existing GLSA.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 06:59:57 UTC
This issue was resolved and addressed in
 GLSA 201604-03 at
by GLSA coordinator Yury German (BlueKnight).