Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717446 (CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, XSA-313, XSA-314, XSA-316, XSA-318) - <app-emulation/xen-{4.12.2-r2,4.13.0-r3}: Multiple vulnerabilities (CVE-2020-{11739,11740,11741,11742,11743})
Summary: <app-emulation/xen-{4.12.2-r2,4.13.0-r3}: Multiple vulnerabilities (CVE-2020-...
Status: RESOLVED FIXED
Alias: CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, XSA-313, XSA-314, XSA-316, XSA-318
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-14 13:52 UTC by Sam James (sec padawan)
Modified: 2020-05-15 14:30 UTC (History)
4 users (show)

See Also:
Package list:
app-emulation/xen-4.12.2-r2 amd64
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sec padawan) 2020-04-14 13:52:22 UTC
1) CVE-2020-11740, CVE-2020-11741 

Impact:
"A malicious guest may be able to access sensitive information
pertaining to other guests.  Guests with "active profiling" enabled
can crash the host (DoS).  Privilege escalation cannot be ruled out."

Advisory: https://lists.xenproject.org/archives/html/xen-announce/2020-04/msg00000.html

2) CVE-2020-11739

Impact:
"A malicous guest may be able to leak memory, or cause a hypervisor crash
resulting in a Denial of Service (DoS). Information leak and privilege
escalation cannot be excluded."

Advisory: https://lists.xenproject.org/archives/html/xen-announce/2020-04/msg00002.html

3) CVE-2020-11743

Impact:
"A buggy or malicious guest can construct its grant table in such a way
that, when a backend domain tries to map a grant, it hits the incorrect
error path.

This will crash a Linux based dom0 or backend domain."

Advisory: https://lists.xenproject.org/archives/html/xen-announce/2020-04/msg00003.html

4)

Impact:
"A buggy or malicious guest can construct its grant table in such a way
that, when a backend domain tries to copy a grant, it hits the incorrect
exit path.

This returns success to the caller without doing anything, which may
cause in crashes or other incorrect behaviour."

Advisory: https://lists.xenproject.org/archives/html/xen-announce/2020-04/msg00001.html

---
Please see the linked advisories for detailed information on the vulnerabilities and patches.
Comment 1 Sam James (sec padawan) 2020-04-14 13:53:56 UTC
(In reply to Sam James (sec padawan) from comment #0)
> 4)
> 

This is CVE-2020-11742.

---
@maintainer(s), please create an appropriate ebuild with upstream's patches.
Comment 2 Sam James (sec padawan) 2020-04-14 20:37:19 UTC
[PR: https://github.com/gentoo/gentoo/pull/15343 will be updated soon with the patches.]
Comment 3 Tomáš Mózes 2020-04-15 06:34:13 UTC
(In reply to Sam James (sec padawan) from comment #2)
> [PR: https://github.com/gentoo/gentoo/pull/15343 will be updated soon with
> the patches.]

Done
Comment 4 Larry the Git Cow gentoo-dev 2020-04-15 15:51:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b925c44559bb0a48f9b5c211b00fa2dc6828a2af

commit b925c44559bb0a48f9b5c211b00fa2dc6828a2af
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-04-14 10:44:46 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2020-04-15 15:48:15 +0000

    app-emulation/xen: add patches for 4.13
    
    Fix Xen security bugs
      CVE-2020-{11739,11740,11741,11742,11743}
    
    Bug: https://bugs.gentoo.org/717446
    Closes: https://github.com/gentoo/gentoo/pull/15343
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 app-emulation/xen/Manifest             |   1 +
 app-emulation/xen/xen-4.13.0-r3.ebuild | 165 +++++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf59763275a84bed50e046890ee51fd66de3cb40

commit bf59763275a84bed50e046890ee51fd66de3cb40
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-04-14 10:43:49 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2020-04-15 15:48:12 +0000

    app-emulation/xen: add patches for 4.12
    
    Fix Xen security bugs
      CVE-2020-{11739,11740,11741,11742,11743}
    
    Bug: https://bugs.gentoo.org/717446
    Closes: https://github.com/gentoo/gentoo/pull/15343
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 app-emulation/xen/Manifest             |   1 +
 app-emulation/xen/xen-4.12.2-r2.ebuild | 165 +++++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+)
Comment 5 Sam James (sec padawan) 2020-04-15 16:04:08 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself. Thanks.
Comment 6 Sam James (sec padawan) 2020-04-20 11:14:47 UTC
ago has let me know that stabilisation is blocked on these:
bug 717700
bug 717698
Comment 7 Sam James (sec padawan) 2020-04-20 12:37:44 UTC
(In reply to Sam James (sec padawan) from comment #6)
> ago has let me know that stabilisation is blocked on these:
> bug 717700
> bug 717698

Changing to "see also" because ago explained they are not formal blockers, but blockers for his process.
Comment 8 Sam James (sec padawan) 2020-04-21 17:54:00 UTC
@ago: your blockers have been fixed, please proceed
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 14:06:13 UTC
amd64 stable
Comment 10 Sam James (sec padawan) 2020-04-22 21:58:03 UTC
@maintainer(s), please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2020-04-30 14:45:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11be7af2a980a01a1cc4b4676209d70a85ae3818

commit 11be7af2a980a01a1cc4b4676209d70a85ae3818
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-04-28 11:57:37 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2020-04-30 14:42:44 +0000

    app-emulation/xen: drop vulnerable version
    
    Bug: https://bugs.gentoo.org/717446
    Closes: https://github.com/gentoo/gentoo/pull/15554
    
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 app-emulation/xen/Manifest             |   1 -
 app-emulation/xen/xen-4.12.2-r1.ebuild | 165 ---------------------------------
 2 files changed, 166 deletions(-)
Comment 12 Sam James (sec padawan) 2020-04-30 19:32:00 UTC
Thanks!
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-05-14 22:17:36 UTC
This issue was resolved and addressed in
 GLSA 202005-08 at https://security.gentoo.org/glsa/202005-08
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Tomáš Mózes 2020-05-15 06:27:59 UTC
@Whissi, please change the vulnerable xen-tools version to <app-emulation/xen-tools-4.12.2-r1 (not app-emulation/xen-tools-4.12.2-r2) as we don't have -r2 in the tree. Thanks.
Comment 16 Tomáš Mózes 2020-05-15 14:30:16 UTC
Thanks @Whissi