From ${URL} : Description A vulnerability has been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to gain escalated privileges. The vulnerability is caused due to an unspecified error when extending the per-domain event channel tracking table and can be exploited to dereference already freed memory. Successful exploitation requires XSM to be enabled (disabled by default). The vulnerability is reported in versions 3.2 and later. Solution Apply workaround or patches (please see the vendor's advisory for more information). Provided and/or discovered by Reported by the vendor. Original Advisory XSA-47: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
See also: Xen Security Advisory 48 (CVE-2013-1922) - qemu-nbd format-guessing due to missing format specification : http://www.openwall.com/lists/oss-security/2013/04/15/3
CVE-2013-1920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920): Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors.
Xen / Ian, please verify if these issues affect our packages and provide patched ebuilds. Thanks. XSA-36 / CVE-2013-0153 XSA-38 / CVE-2013-0215 XSA-44 / CVE-2013-1917 XSA-46 / CVE-2013-1919 XSA-47 / CVE-2013-1920 XSA-48 / CVE-2013-1922
XSA 45: http://www.openwall.com/lists/oss-security/2013/05/02/8 CVE-2013-1918 XSA 49: http://www.openwall.com/lists/oss-security/2013/05/02/9 CVE-2013-1952
CVE-2013-0215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215): oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operations, which allows guest OS users to cause a denial of service (daemon crash and host-control outage, or memory consumption) or obtain sensitive control-plane data by leveraging guest administrative access. CVE-2013-0153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153): The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.
XSA 51: http://www.openwall.com/lists/oss-security/2013/05/06/5 CVE-2013-2007
from http://lists.xen.org/archives/html/xen-announce/2013-05/msg00002.html Patches to resolve this problem are available from the upstream qemu project via the usual channels. The Xen Project Security Team do not intend to provide or distribute patches for this vulnerability. So that's how important it is! xen-tools # ebuild xen-tools-4.2.2.ebuild clean install with CVE-2012-6075-XSA-41.patch \ CVE-2013-1922-XSA-48.patch \ CVE-2013-1952-XSA-49.patch yields >>> Completed installing xen-tools-4.2.2 into /mnt/gen2/TmpDir/portage/app-emulation/xen-tools-4.2.2/image/ All other listed security patches pertinent to xen-tools are already coded in xen-tools-4.2.2 ditto app-emulation/xen-tools $ ebuild xen-tools-4.2.1-r1.ebuild clean install with:- CVE-2012-6075-XSA-41.patch \ CVE-2013-0215-XSA-38.patch \ CVE-2013-1919-XSA-46.patch \ CVE-2013-1922-XSA-48.patch \ CVE-2013-1952-XSA_49.patch ----------------------------------------------------------------- ditto xen-pvgrub ----------------------------------------------------------------- app-emulation/xen $ ebuild xen-4.2.2.ebuild clean install with ${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch which are 7 separate patches. yields >>> Completed installing xen-4.2.2 into /mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.2/image/ app-emulation/xen $ ebuild xen-4.2.1-r1.ebuild clean install with:- CVE-2012-5634-XSA-33.patch \ CVE-2013-0151-XSA-34_35.patch \ CVE-2013-0151-XSA-34_35.patch \ CVE-2013-0154-XSA-37.patch \ CVE-2013-0153-XSA-36.patch \ CVE-2013-1917-XSA-44.patch \ CVE-2013-1920-XSA-47.patch yields >>> Completed installing xen-4.2.1-r1 into /mnt/gen2/TmpDir/portage/app-emulation/xen-4.2.1-r1/image/ ditto app-emulation/xen-pvgrub $ ebuild xen-pvgrub-4.2.1-r1.ebuild clean install app-emulation/xen-pvgrub $ ebuild xen-pvgrub-4.2.2.ebuild clean install ................................................................. xen-tools revbumped to 4.2.1-r3 (4.2.1-r2 exists and is masked), bump 4.2.2 xen revbumped to 4.2.1-r3; bump 4.2.2 xen-pvgrub; revbumped to 4.2.1-r2; bump 4.2.2 Should be go to go for testing of all revbumped 4.2.1
XSA 56: http://www.openwall.com/lists/oss-security/2013/05/17/2 CVE-2013-2072
aww gee thx ago, do they ever end?
The XSA-56 / CVE-2072 patch pertains to xen-tools. Both xen-tools 4.2.1-r3 and 4.2.2-r1 build and install with addition of xen-4-CVE-2013-2072-XSA-56.patch. In light of recent outstanding bugs fixed & closed, xen-xen-4.2.1-r3, xen-tools-4.2.1-r3 & xen-pvgrub-4.2.1-r2 ought be good for submission for testing.
Arch teams please test xen-4.2.1-r3, xen-tools-4.2.1-r3 & xen-pvgrub-4.2.1-r2
(In reply to comment #11) > Arch teams please test > xen-4.2.1-r3, > xen-tools-4.2.1-r3 & > xen-pvgrub-4.2.1-r2 I don't see xen-pvgrub-4.2.1-r2 in the tree. You meant the revision 1 or you forgot to add it?
(In reply to comment #12) > (In reply to comment #11) > > Arch teams please test > > xen-4.2.1-r3, > > xen-tools-4.2.1-r3 & > > xen-pvgrub-4.2.1-r2 > > I don't see xen-pvgrub-4.2.1-r2 in the tree. You meant the revision 1 or you > forgot to add it? Seems I had not yet added it, didn't realise. added now, sorry.
amd64 stable
x86 stable
CVE-2013-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922): qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004. CVE-2013-1919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919): Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices." CVE-2013-1917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917): Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction.
CVE-2013-1952 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952): Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. CVE-2013-1918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918): Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal."
Added to existing GLSA draft.
*** Bug 483226 has been marked as a duplicate of this bug. ***
CVE-2013-2072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2072): Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.
This issue was resolved and addressed in GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml by GLSA coordinator Chris Reffett (creffett).