Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 542266 (CVE-2015-2044) - <app-emulation/xen-{4.2.5-r6,4.4.1-r8}: Multiple vulnerabilities (XSA-{121,122}) (CVE-2015-{2044,2045})
Summary: <app-emulation/xen-{4.2.5-r6,4.4.1-r8}: Multiple vulnerabilities (XSA-{121,12...
Status: RESOLVED FIXED
Alias: CVE-2015-2044
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-05 15:44 UTC by Agostino Sarubbo
Modified: 2015-04-11 20:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-05 15:44:33 UTC
From http://www.openwall.com/lists/oss-security/2015/03/05/4:

           Xen Security Advisory CVE-2015-2044 / XSA-121
                              version 3

       Information leak via internal x86 system device emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported one.
When the access size is unsupported these routines failed to set the
data to be returned to the guest for read accesses, so that hypervisor
stack contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious HVM guest might be able to read sensitive data relating
to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

Only HVM guests can take advantage of this vulnerability.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa121.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x



From http://www.openwall.com/lists/oss-security/2015/03/05/5:

            Xen Security Advisory CVE-2015-2045 / XSA-122
                              version 3

         Information leak through version information hypercall

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious guest might be able to read sensitive data relating to
other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Aaron Adams of NCC Group.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa122.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yixun Lan gentoo-dev 2015-03-10 02:12:33 UTC
+*xen-4.5.0-r2 (10 Mar 2015)
+*xen-4.4.1-r7 (10 Mar 2015)
+*xen-4.3.3-r6 (10 Mar 2015)
+*xen-4.2.5-r5 (10 Mar 2015)
+
+  10 Mar 2015; Yixun Lan <dlan@gentoo.org> +xen-4.2.5-r5.ebuild,
+  +xen-4.3.3-r6.ebuild, +xen-4.4.1-r7.ebuild, -xen-4.5.0-r1.ebuild,
+  +xen-4.5.0-r2.ebuild:
+  security bump, bug 542266, XSA-121,122
Comment 3 Yixun Lan gentoo-dev 2015-03-12 09:37:46 UTC
+*xen-4.5.0-r3 (12 Mar 2015)
+*xen-4.4.1-r8 (12 Mar 2015)
+*xen-4.3.3-r7 (12 Mar 2015)
+*xen-4.2.5-r6 (12 Mar 2015)
+
+  12 Mar 2015; Yixun Lan <dlan@gentoo.org> -xen-4.2.5-r4.ebuild,
+  -xen-4.2.5-r5.ebuild, +xen-4.2.5-r6.ebuild, -xen-4.3.3-r5.ebuild,
+  -xen-4.3.3-r6.ebuild, +xen-4.3.3-r7.ebuild, -xen-4.4.1-r6.ebuild,
+  -xen-4.4.1-r7.ebuild, +xen-4.4.1-r8.ebuild, -xen-4.5.0-r2.ebuild,
+  +xen-4.5.0-r3.ebuild:
+  security bump, fix bug 542263, XSA-123


Arches, please test and mark stable:
=app-emulation/xen-4.2.5-r6
=app-emulation/xen-tools-4.2.5-r2
Target keywords Both : "amd64 x86"

=app-emulation/xen-4.4.1-r8
=app-emulation/xen-tools-4.4.1-r6
=app-emulation/xen-pvgrub-4.4.1
Target keywords Only: "amd64" 

For now, I'll just leave out arm(64) for stabilization

XSA-120 -> need to patch kernel, not xen source code, and I checked gentoo-sources-3.19.1, haven't include this patch.
XSA-124 -> no patches, no reasonable resolution in software

btw, can we file a separate bug for XSA-120, and then CC kernel team?
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-13 09:38:45 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-03-13 09:48:49 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Tomáš Mózes 2015-03-14 05:50:47 UTC
Would it be possible to also stabilize the 4.3 branch?
Comment 7 Yixun Lan gentoo-dev 2015-03-14 11:54:02 UTC
(In reply to Tomas Mozes from comment #6)
> Would it be possible to also stabilize the 4.3 branch?

any reason here?
actually I'm talking to @idella4 that we'd plan to stabilize 4.4.x series, and prune out 4.3.x
Comment 8 Tomáš Mózes 2015-03-14 14:51:17 UTC
(In reply to Yixun Lan from comment #7)
> (In reply to Tomas Mozes from comment #6)
> > Would it be possible to also stabilize the 4.3 branch?
> 
> any reason here?
> actually I'm talking to @idella4 that we'd plan to stabilize 4.4.x series,
> and prune out 4.3.x

We are stabilizing 4.2 and 4.4 and leaving 4.3 behind, however according to:
http://www.xenproject.org/downloads/xen-archives.html

Supported Xen Project 4.3 series
Supported Xen Project 4.4 series
Supported Xen Project 4.5 series

Unsupported Xen Project 4.2 series

Wouldn't it make sense to drop 4.2 and stabilize 4.3 and 4.4?
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-14 15:06:53 UTC
(In reply to Tomas Mozes from comment #8)
> (In reply to Yixun Lan from comment #7)
> > (In reply to Tomas Mozes from comment #6)
> > > Would it be possible to also stabilize the 4.3 branch?
> > 



> Unsupported Xen Project 4.2 series
> 
> Wouldn't it make sense to drop 4.2 and stabilize 4.3 and 4.4?

Please keep this discussion another place than a security bug.
(but as I understand it 4.2 is the latest branch supporting x86 as hypervisor)
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-18 17:15:45 UTC
Added to existing GLSA request
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 19:36:31 UTC
CVE-2015-2045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2045):
  The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not
  properly initialize data structures, which allows local guest users to
  obtain sensitive information via unspecified vectors.

CVE-2015-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2044):
  The emulation routines for unspecified X86 devices in Xen 3.2.x through
  4.5.x does not properly initialize data, which allow local HVM guest users
  to obtain sensitive information via vectors involving an unsupported access
  size.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 21:34:47 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 20:38:14 UTC
This issue was resolved and addressed in
 GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04
by GLSA coordinator Yury German (BlueKnight).