Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634668 (CVE-2017-15588, CVE-2017-15589, CVE-2017-15590, CVE-2017-15591, CVE-2017-15592, CVE-2017-15593, CVE-2017-15594, CVE-2017-15595) - <app-emulation/xen-4.8.2-r3: Multiple vulnerabilities
Summary: <app-emulation/xen-4.8.2-r3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15588, CVE-2017-15589, CVE-2017-15590, CVE-2017-15591, CVE-2017-15592, CVE-2017-15593, CVE-2017-15594, CVE-2017-15595
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
: 637602 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-10-18 17:46 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-01-14 23:50 UTC (History)
3 users (show)

See Also:
Package list:
app-emulation/xen-4.8.2-r3
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-18 17:46:08 UTC
CVE-2017-15595 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15595):

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. 

References:

https://xenbits.xen.org/xsa/advisory-240.html

CVE-2017-15594 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15594):

An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging. 

References:

https://xenbits.xen.org/xsa/advisory-244.html

CVE-2017-15593 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15593):

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled. 

References:

https://xenbits.xen.org/xsa/advisory-242.html

CVE-2017-15592 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15592):

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests. 

References:

https://xenbits.xen.org/xsa/advisory-243.html

CVE-2017-15591 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15591):

An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation. 

References:

https://xenbits.xen.org/xsa/advisory-238.html

CVE-2017-15590 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15590):

An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled. 

References:

https://xenbits.xen.org/xsa/advisory-237.html

CVE-2017-15589 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15589):

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory. 

References:

https://xenbits.xen.org/xsa/advisory-239.html

CVE-2017-15588 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15588):

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry. 

References:

https://xenbits.xen.org/xsa/advisory-241.html

Note: Only x86 is affected, patches are in the references.
Comment 2 Francis Booth 2017-11-15 18:02:48 UTC
*** Bug 637602 has been marked as a duplicate of this bug. ***
Comment 3 Tomáš Mózes 2017-11-27 08:29:38 UTC
(In reply to Tomáš Mózes from comment #1)
> Should be fixed by:
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=9f5090c0542f03940ace5c25954ddbed4aa6256f
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=fb2eba50033bc28a68c10f18c5393fc2a841c335

Seems like only parts of it were fixed by that commit. We need to pull the changes from stable-4.8 and create a new patch tarball.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-11 18:58:27 UTC
I haven't checked if all XSA's are already fixed in previous versions in Gentoo but at least they are part of =app-emulation/xen-4.8.2-r3:

> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-240' .
> ./0023-x86-limit-linear-page-table-use-to-a-single-level.patch:This is XSA-240.
> ./0048-x86-don-t-wrongly-trigger-linear-page-table-assertio.patch:This is part of XSA-240.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-244' .
> ./0027-x86-cpu-Fix-IST-handling-during-PCPU-bringup.patch:This is XSA-244.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-242' .
> ./0025-x86-don-t-allow-page_unlock-to-drop-the-last-type-re.patch:This is XSA-242.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-243' .
> ./0026-x86-shadow-Don-t-create-self-linear-shadow-mappings-.patch:This is XSA-243.
> ./0049-x86-shadow-correct-SH_LINEAR-mapping-detection-in-sh.patch:The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change
> ./0049-x86-shadow-correct-SH_LINEAR-mapping-detection-in-sh.patch:This is part of XSA-243.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-238' .
> ./0021-x86-ioreq-server-correctly-handle-bogus-XEN_DMOP_-un.patch:This is XSA-238.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-237' .
> ./0017-x86-enforce-proper-privilege-when-un-mapping-pIRQ-s.patch:This is part of XSA-237.
> ./0016-x86-don-t-allow-MSI-pIRQ-mapping-on-unowned-device.patch:This is part of XSA-237.
> ./0019-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-m.patch:This is part of XSA-237.
> ./0018-x86-MSI-disallow-redundant-enabling.patch:This is part of XSA-237.
> ./0020-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch:This is part of XSA-237.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-239' .
> ./0022-x86-HVM-prefill-partially-used-variable-on-emulation.patch:This is XSA-239.
> vm-gentoo-x64 /var/tmp/portage/app-emulation/xen-4.8.2-r3/work/patches-upstream # grep -Fr 'XSA-241' .
> ./0024-x86-don-t-store-possibly-stale-TLB-flush-time-stamp.patch:This is XSA-241.
>
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-14 16:34:30 UTC
Added to an existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-01-14 23:50:47 UTC
This issue was resolved and addressed in
 GLSA 201801-14 at https://security.gentoo.org/glsa/201801-14
by GLSA coordinator Thomas Deutschmann (whissi).