-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2017-2620 / XSA-209 version 2 cirrus_bitblt_cputovideo does not check if memory region is safe *** EMBARGOED UNTIL 2017-02-21 12:00 UTC *** UPDATES IN VERSION 2 ==================== Patch xsa209-qemut.patch updated so that it builds. ISSUE DESCRIPTION ================= In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. IMPACT ====== A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABLE SYSTEMS ================== Versions of qemu shipped with all Xen versions are vulnerable. Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable. Only guests provided with the "cirrus" emulated video card can exploit the vulnerability. The non-default "stdvga" emulated video card is not vulnerable. (With xl the emulated video card is controlled by the "stdvga=" and "vga=" domain configuration options.) ARM systems are not vulnerable. Systems using only PV guests are not vulnerable. For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself. Both upstream-based versions of qemu (device_model_version="qemu-xen") and `traditional' qemu (device_model_version="qemu-xen-traditional") are vulnerable. MITIGATION ========== Running only PV guests will avoid the issue. Running HVM guests with the device model in a stubdomain will mitigate the issue. Changing the video card emulation to stdvga (stdvga=1, vga="stdvga", in the xl domain configuration) will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa209-qemuu.patch qemu-xen, qemu upstream (no backport yet) qemu-xen-traditional $ sha256sum xsa209* 324d392fe8d840b4314537ddc68ab51042a918dde4a3fc26166923856eb47776 xsa209-qemut.patch 011f4a21fdfb40a7189351a0d7348024e5e1f4b5af59ca1cd19aa88dcc9033e9 xsa209-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However, deployment of the "stdvga" mitigation (changing the video card emulation to stdvga) is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because this produces a guest-visible change which will indicate which component contains the vulnerability. Additionally, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYnhTOAAoJEIP+FMlX6CvZ2M4IAI7mA1fU/WM8Phl20HkiWtGX 1I2NiH5G4H1iYeeqpvK+blOta1fosfENgOSJsPJoX827TxyHj+2WoRb2ssGNu4zq gZ8JV77FKpfW6lOvR+LOeNCmpSAKf03mt+WZ1dD3kdUVQqe80Q085e2axdSyERoK obX3Deiv4gGbmmWfhHVCh3At0L7FtCrzx7iiyyl0IWVJ2oVnBTNXooIjmXQ7kk8O dOH6e2U6Y8XIjvdb8As1H8ULX4NUYz1gWAo+4OuQLGmkRw1dX+SH8pkLJP+8NdzM 5+WY9+W4RQOd4K0LfURRCUZHYra1BwFTvSX6GmPtgjvCtBKgF803PK58aZby2fg= =TqX1 -----END PGP SIGNATURE-----
Freeing alias for tracker usage.
$URL is now public. @ Maintainer(s): Please proceed!
commit 68032806896565d2cdc7338c02092c2ee1a5fc3b Author: Yixun Lan <dlan@gentoo.org> Date: Wed Feb 22 17:07:11 2017 +0800 app-emulation/xen-tools: fix XSA-209 cirrus_bitblt_cputovideo does not check if memory region is safe Gentoo-Bug: 609120 Package-Manager: Portage-2.3.3, Repoman-2.3.1 :100644 100644 6a15a234a9... a907077345... M app-emulation/xen-tools/Manifest :000000 100644 0000000000... 726e0e7094... A app-emulation/xen-tools/xen-tools-4.7.1-r7.ebuild :000000 100644 0000000000... f87e05ba01... A app-emulation/xen-tools/xen-tools-4.8.0-r3.ebuild
Arches, please test and mark stable: =app-emulation/xen-tools-4.7.1-r7 Target keywords: "amd64 x86"
(In reply to Yixun Lan from comment #4) > Arches, please test and mark stable: > > =app-emulation/xen-tools-4.7.1-r7 > Target keywords: "amd64 x86" had problem with 4.7.1-r7, the XSA-209 qemuu.patch actually depend on previous one patch, so also pull in.. please stable: =app-emulation/xen-tools-4.7.1-r8 Target keywords: "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s). Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201703-07 at https://security.gentoo.org/glsa/201703-07 by GLSA coordinator Yury German (BlueKnight).
