Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 464724 (CVE-2013-1920) - <app-emulation/xen-4.2.1-r3 - <app-emulation/xen-tools-4.2.1-r3 - <app-emulation/xen-pvgrub-4.2.1-r2 : Multiple vulnerabilities (CVE-2013-{0153,0215,1917,1918,1919,1920,1922,1952,2072})
Summary: <app-emulation/xen-4.2.1-r3 - <app-emulation/xen-tools-4.2.1-r3 - <app-emulat...
Status: RESOLVED FIXED
Alias: CVE-2013-1920
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52857/
Whiteboard: B1 [glsa]
Keywords:
: CVE-2013-2072 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-04-05 12:16 UTC by Agostino Sarubbo
Modified: 2013-09-30 00:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-05 12:16:15 UTC
From ${URL} :

Description
A vulnerability has been reported in Xen, which can be exploited by malicious, local users in a 
guest virtual machine to gain escalated privileges.

The vulnerability is caused due to an unspecified error when extending the per-domain event channel 
tracking table and can be exploited to dereference already freed memory.

Successful exploitation requires XSM to be enabled (disabled by default).

The vulnerability is reported in versions 3.2 and later.


Solution
Apply workaround or patches (please see the vendor's advisory for more information).

Provided and/or discovered by
Reported by the vendor.

Original Advisory
XSA-47:
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
Comment 1 Agostino Sarubbo gentoo-dev 2013-04-16 12:41:41 UTC
See also:
Xen Security Advisory 48 (CVE-2013-1922) - qemu-nbd format-guessing due to missing format specification : http://www.openwall.com/lists/oss-security/2013/04/15/3
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-04-19 12:38:22 UTC
CVE-2013-1920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920):
  Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory
  pressure" and the Xen Security Module (XSM) is enabled, uses the wrong
  ordering of operations when extending the per-domain event channel tracking
  table, which causes a use-after-free and allows local guest kernels to
  inject arbitrary events and gain privileges via unspecified vectors.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-19 14:58:00 UTC
Xen / Ian, please verify if these issues affect our packages and provide patched ebuilds. Thanks.

XSA-36 / CVE-2013-0153
XSA-38 / CVE-2013-0215
XSA-44 / CVE-2013-1917
XSA-46 / CVE-2013-1919
XSA-47 / CVE-2013-1920
XSA-48 / CVE-2013-1922
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-03 10:56:55 UTC
XSA 45: http://www.openwall.com/lists/oss-security/2013/05/02/8 CVE-2013-1918
XSA 49: http://www.openwall.com/lists/oss-security/2013/05/02/9 CVE-2013-1952
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:42:06 UTC
CVE-2013-0215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215):
  oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly
  consider the state of the Xenstore ring during read operations, which allows
  guest OS users to cause a denial of service (daemon crash and host-control
  outage, or memory consumption) or obtain sensitive control-plane data by
  leveraging guest administrative access.

CVE-2013-0153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153):
  The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when
  using AMD-Vi for PCI passthrough, uses the same interrupt remapping table
  for the host and all guests, which allows guests to cause a denial of
  service by injecting an interrupt into other guests.
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-10 09:19:32 UTC
XSA 51: http://www.openwall.com/lists/oss-security/2013/05/06/5 CVE-2013-2007
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2013-05-15 18:25:50 UTC
from http://lists.xen.org/archives/html/xen-announce/2013-05/msg00002.html

Patches to resolve this problem are available from the upstream qemu
project via the usual channels.  The Xen Project Security Team do not
intend to provide or distribute patches for this vulnerability.

So that's how important it is!

xen-tools # ebuild xen-tools-4.2.2.ebuild clean install

with  CVE-2012-6075-XSA-41.patch \ CVE-2013-1922-XSA-48.patch \ CVE-2013-1952-XSA-49.patch

yields
>>> Completed installing xen-tools-4.2.2 into /mnt/gen2/TmpDir/portage/app-emulation/xen-tools-4.2.2/image/

All other listed security patches pertinent to xen-tools are already coded in xen-tools-4.2.2

ditto 

app-emulation/xen-tools $ ebuild xen-tools-4.2.1-r1.ebuild clean install

with:-
CVE-2012-6075-XSA-41.patch \ CVE-2013-0215-XSA-38.patch \
CVE-2013-1919-XSA-46.patch \ CVE-2013-1922-XSA-48.patch \ 
CVE-2013-1952-XSA_49.patch

-----------------------------------------------------------------
ditto xen-pvgrub

-----------------------------------------------------------------
app-emulation/xen $ ebuild xen-4.2.2.ebuild clean install

with ${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch which are 7 separate patches.

yields
>>> Completed installing xen-4.2.2 into /mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2/image/

app-emulation/xen $ ebuild xen-4.2.1-r1.ebuild clean install

with:-
CVE-2012-5634-XSA-33.patch \ CVE-2013-0151-XSA-34_35.patch \
CVE-2013-0151-XSA-34_35.patch \ CVE-2013-0154-XSA-37.patch \
CVE-2013-0153-XSA-36.patch \ CVE-2013-1917-XSA-44.patch \
CVE-2013-1920-XSA-47.patch

yields

>>> Completed installing xen-4.2.1-r1 into /mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.1-r1/image/

ditto

app-emulation/xen-pvgrub $ ebuild xen-pvgrub-4.2.1-r1.ebuild clean install
app-emulation/xen-pvgrub $ ebuild xen-pvgrub-4.2.2.ebuild clean install

.................................................................
xen-tools revbumped to 4.2.1-r3 (4.2.1-r2 exists and is masked), bump 4.2.2
xen revbumped to 4.2.1-r3; bump 4.2.2
xen-pvgrub; revbumped to 4.2.1-r2; bump 4.2.2

Should be go to go for testing of all revbumped 4.2.1
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-17 17:46:22 UTC
XSA 56: http://www.openwall.com/lists/oss-security/2013/05/17/2 CVE-2013-2072
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2013-05-17 18:15:11 UTC
aww gee thx ago, do they ever end?
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2013-05-18 17:04:13 UTC
The XSA-56 / CVE-2072 patch pertains to xen-tools. Both xen-tools 4.2.1-r3 and 4.2.2-r1 build and install with addition of xen-4-CVE-2013-2072-XSA-56.patch.

In light of recent outstanding bugs fixed & closed, xen-xen-4.2.1-r3, xen-tools-4.2.1-r3 & xen-pvgrub-4.2.1-r2 ought be good for submission for testing.
Comment 11 Ian Delaney (RETIRED) gentoo-dev 2013-05-19 15:34:15 UTC
Arch teams please test 
xen-4.2.1-r3, 
xen-tools-4.2.1-r3 & 
xen-pvgrub-4.2.1-r2
Comment 12 Agostino Sarubbo gentoo-dev 2013-05-20 10:58:51 UTC
(In reply to comment #11)
> Arch teams please test 
> xen-4.2.1-r3, 
> xen-tools-4.2.1-r3 & 
> xen-pvgrub-4.2.1-r2

I don't see xen-pvgrub-4.2.1-r2 in the tree. You meant the revision 1 or you forgot to add it?
Comment 13 Ian Delaney (RETIRED) gentoo-dev 2013-05-20 14:18:30 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > Arch teams please test 
> > xen-4.2.1-r3, 
> > xen-tools-4.2.1-r3 & 
> > xen-pvgrub-4.2.1-r2
> 
> I don't see xen-pvgrub-4.2.1-r2 in the tree. You meant the revision 1 or you
> forgot to add it?

Seems I had not yet added it, didn't realise.  added now, sorry.
Comment 14 Agostino Sarubbo gentoo-dev 2013-05-23 17:37:39 UTC
amd64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-05-23 17:47:44 UTC
x86 stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 23:52:49 UTC
CVE-2013-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922):
  qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk
  image based on the header, which allows local guest OS administrators to
  read arbitrary files on the host by modifying the header to identify a
  different format, which is used when the guest is restarted, a different
  vulnerability than CVE-2008-2004.

CVE-2013-1919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919):
  Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows
  local stub domain clients to gain access to IRQs and cause a denial of
  service via vectors related to "passed-through IRQs or PCI devices."

CVE-2013-1917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917):
  Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear
  the NT flag when using an IRET after a SYSENTER instruction, which allows PV
  guest users to cause a denial of service (hypervisor crash) by triggering a
  #GP fault, which is not properly handled by another IRET instruction.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 23:58:20 UTC
CVE-2013-1952 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952):
  Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does
  not properly check the source when accessing a bridge device's interrupt
  remapping table entries for MSI interrupts, which allows local guest domains
  to cause a denial of service (interrupt injection) via unspecified vectors.

CVE-2013-1918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918):
  Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier
  are not preemptible, which allows local PV kernels to cause a denial of
  service via vectors related to "deep page table traversal."
Comment 18 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 00:53:32 UTC
Added to existing GLSA draft.
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-01 12:52:41 UTC
*** Bug 483226 has been marked as a duplicate of this bug. ***
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-09-01 12:53:09 UTC
CVE-2013-2072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2072):
  Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in
  Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to
  configure VCPU affinity to cause a denial of service (memory corruption and
  xend toolstack crash) and possibly gain privileges via a crafted cpumap.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 00:29:08 UTC
This issue was resolved and addressed in
 GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml
by GLSA coordinator Chris Reffett (creffett).