Multiple vulnerabilities have been found in the Xen hypervisor: * CVE-2018-12891 (XSA-264) http://xenbits.xen.org/xsa/advisory-264.html Preemption checks bypassed in x86 PV MM handling. All Xen versions from 3.4 onwards are vulnerable. * CVE-2018-12892 (XSA-266) http://xenbits.xen.org/xsa/advisory-266.html libxl fails to honour readonly flag on HVM emulated SCSI disks The vulnerability is present in Xen versions 4.7 and later. * CVE-2018-12893 (XSA-265) http://xenbits.xen.org/xsa/advisory-265.html x86: #DB exception safety check can be triggered by a guest One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. All Xen systems which have applied the XSA-260 fix are vulnerable. -- Gentoo Security Scout Vladimir Krstulja
Revising severity: no specific configuration required, and per XSA-266 the domU users may be able to modify assigned read-only SCSI disk images.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ef4e6575bdfb96b79db1469f37a5b9c3de2ab17 commit 2ef4e6575bdfb96b79db1469f37a5b9c3de2ab17 Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2018-07-13 16:55:30 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2018-07-17 11:06:56 +0000 app-emulation/xen: bump to 4.11.0 Bug: https://bugs.gentoo.org/659442 Package-Manager: Portage-2.3.42, Repoman-2.3.9 app-emulation/xen-tools/Manifest | 2 +- app-emulation/xen/Manifest | 3 +- app-emulation/xen/xen-4.11.0.ebuild | 172 ++++++++++++++++++++++++++++++++++++ 3 files changed, 175 insertions(+), 2 deletions(-)
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 201810-06 at https://security.gentoo.org/glsa/201810-06 by GLSA coordinator Thomas Deutschmann (whissi).