Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379241 (CVE-2011-3131) - <app-emulation/xen-3.4.2-r3: IOMMU fault DoS (CVE-2011-3131)
Summary: <app-emulation/xen-3.4.2-r3: IOMMU fault DoS (CVE-2011-3131)
Status: RESOLVED FIXED
Alias: CVE-2011-3131
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://xenbits.xen.org/hg/staging/xen...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 383977 384361
Blocks:
  Show dependency tree
 
Reported: 2011-08-15 10:19 UTC by Agostino Sarubbo
Modified: 2011-10-08 21:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-15 10:19:36 UTC
Original advisory: http://lists.xensource.com/archives/html/xen-devel/2011-06/msg01106.html

Patch at $URL
Comment 1 Alexey Shvetsov gentoo-dev 2011-09-18 12:15:07 UTC
Fixed in cvs
Comment 2 Alexey Shvetsov gentoo-dev 2011-09-18 12:16:16 UTC
Its fixed in xen-4.1.1-r2
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-18 12:48:23 UTC
Thanks Alexey.

The vulnerability _seems_ affect only 4.x version, so in tree the stable version is 3.x

You want to stabilize 4.1.1-r2 equally?
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-09-18 12:59:31 UTC
(In reply to comment #3)
> Thanks Alexey.
> 
> The vulnerability _seems_ affect only 4.x version, so in tree the stable
> version is 3.x
> 

Based on what?
Reading the 3.x code, it very much looks affected to me.
Also, SUSE has issued and update for this issue in xen-3:
http://support.novell.com/security/cve/CVE-2011-3131.html

> You want to stabilize 4.1.1-r2 equally?

We're not going to do a major version bump for fixing a security issue.
We'll either need proof that this issue does not affect xen-3 (which I doubt), or a revbumped xen-3 package.
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-18 13:06:10 UTC
(In reply to comment #4)
> Based on what?

Secunia advisory says it, but I've not checked manually, is the reason because I sayd "_seems_"
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-09-20 07:26:39 UTC
sorted with substantial co-operation from a number of the faithful.
Fixes for xen-3 and xen-4 are done, the former not yet in the tree.
Watch this space..
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2011-09-20 15:31:15 UTC
The fixes are in the tree
Comment 8 Ian Delaney (RETIRED) gentoo-dev 2011-09-21 08:20:04 UTC
Arches, please test & mark stable;

app-emulation/xen-4.1.1-r2,
app-emulation/xen-tools-4.1.1-r5,
app-emulation/xen-pvgrub-4.1.1-r1

target keywords "AMD64 X86".
Comment 9 Agostino Sarubbo gentoo-dev 2011-09-21 09:29:10 UTC
(In reply to comment #8)
> Arches, please test & mark stable;
> 
> app-emulation/xen-4.1.1-r2,
> app-emulation/xen-tools-4.1.1-r5,
> app-emulation/xen-pvgrub-4.1.1-r1
> 
> target keywords "AMD64 X86".

We will wait for fixed version of xen-3
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2011-09-21 17:24:56 UTC
fixed version of xen-3 is in the tree
Comment 11 Ian Delaney (RETIRED) gentoo-dev 2011-09-21 18:22:05 UTC
Arches, please test & mark stable; update to xen-3 ONLY (exclude xen-4)

app-emulation/xen-3.4.2-r2,
app-emulation/xen-tools 3.4.2-r1
Comment 12 Ian Delaney (RETIRED) gentoo-dev 2011-09-21 21:41:55 UTC
re-patched the patch for the 1st step xen-tools.  Needed two adjustments.
Have re-tested.
archtester xen-tools # ebuild xen-tools-3.4.2-r1.ebuild compile
.......................................................
archtester xen-tools # >>> Source compiled.
Please re-try
Comment 13 Ian Delaney (RETIRED) gentoo-dev 2011-09-22 08:34:10 UTC
It appears the xen-tools has an issue with the recently stabled gcc-4.5.3-r1
Comment 14 Ian Delaney (RETIRED) gentoo-dev 2011-09-23 14:47:45 UTC
33977 fixed;

app-emulation/xen-3.4.2-r2,
app-emulation/xen-tools 3.4.2-r2
Comment 15 Tony Vroon gentoo-dev 2011-09-24 20:55:20 UTC
Arches please target:
app-emulation/xen-3.4.2-r2
app-emulation/xen-tools 3.4.2-r3
Comment 16 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-25 02:49:02 UTC
(In reply to comment #15)
> Arches please target:
> app-emulation/xen-3.4.2-r2
> app-emulation/xen-tools 3.4.2-r3

More recent versions have been stabilized in bug #360621 . How do we proceed?
Comment 17 Tony Vroon gentoo-dev 2011-09-25 09:32:06 UTC
(In reply to comment #16)
> More recent versions have been stabilized in bug #360621 . How do we proceed?

Stabilise the requested versions in addition to the 4.x versions, then remove yourself from CC.
Comment 18 Tony Vroon gentoo-dev 2011-09-25 11:41:37 UTC
Arches please target:
app-emulation/xen-3.4.2-r3
app-emulation/xen-tools 3.4.2-r3
Comment 19 Agostino Sarubbo gentoo-dev 2011-09-25 13:07:20 UTC
Sorry @all for the extra mailspam.

I'd recommend to remove /.config before tests =)


amd64 ok, the other issues are not a blockers.
Comment 20 Ian Delaney (RETIRED) gentoo-dev 2011-09-25 13:32:18 UTC
ok,
on syncing to current tree versions;

archtester ~ # ls -ld /.config/
ls: cannot access /.config/: No such file or directory

emerge =app-emulation/xen-tools-3.4.2-r3
>>> Emerging (1 of 1) app-emulation/xen-tools-3.4.2-r3
>>> Installing (1 of 1) app-emulation/xen-tools-3.4.2-r3

archtester ~ # emerge =app-emulation/xen-3.4.2-r3
>>> Emerging (3 of 3) app-emulation/xen-3.4.2-r3
>>> Installing (3 of 3) app-emulation/xen-3.4.2-r3
Comment 21 Tony Vroon gentoo-dev 2011-09-25 13:41:16 UTC
+  25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-3.4.2-r3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #379241.

+  25 Sep 2011; Tony Vroon <chainsaw@gentoo.org> xen-tools-3.4.2-r3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #379241.

X86 please proceed; the -r3s are GCC 4.5/4.6 capable.
Comment 22 Thomas Kahle (RETIRED) gentoo-dev 2011-09-29 14:20:04 UTC
(In reply to comment #21)
> X86 please proceed; the -r3s are GCC 4.5/4.6 capable.

x86 stable, BUT:

xen-tools-3.4.2-r3 has a missing dependency with USE="doc":
[...]
(/usr/share/texmf-dist/tex/latex/base/ifthen.sty)

! LaTeX Error: File `xcolor.sty' not found.

Type X to quit or <RETURN> to proceed,
or enter new name. (Default extension: sty)

Enter file name: 
! Emergency stop.
<read *> 
         
l.10 \usepackage
                {textcomp}^^M
!  ==> Fatal error occurred, no output PDF file produced!
Comment 23 Agostino Sarubbo gentoo-dev 2011-09-29 14:26:17 UTC
(In reply to comment #22)
> x86 stable, BUT:
> 
> xen-tools-3.4.2-r3 has a missing dependency with USE="doc":

It was already filed and is not a regression, thanks anyway ;)


@security,

Please proceed with glsa voting.
Comment 24 Tim Sammut (RETIRED) gentoo-dev 2011-09-29 18:49:33 UTC
Thanks, folks. GLSA Vote: yes.
Comment 25 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:16:47 UTC
Vote: NO.
Comment 26 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 21:22:26 UTC
GLSA vote: NO. Closing noglsa.