Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 850802 (CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-26362, CVE-2022-26363, CVE-2022-26364, XSA-401, XSA-402, XSA-404) - <app-emulation/xen-{4.15.3,4.16.1}: multiple vulnerabilities
Summary: <app-emulation/xen-{4.15.3,4.16.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-26362, CVE-2022-26363, CVE-2022-26364, XSA-401, XSA-402, XSA-404
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on: 857117
Blocks:
  Show dependency tree
 
Reported: 2022-06-09 20:10 UTC by Tomáš Mózes
Modified: 2022-08-14 14:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2022-06-09 20:10:48 UTC
x86 pv: Race condition in typeref acquisition:
https://xenbits.xen.org/xsa/advisory-401.html

x86 pv: Insufficient care with non-coherent mappings:
https://xenbits.xen.org/xsa/advisory-402.html
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-09 23:09:19 UTC
Thanks, hydrapolic!
Comment 2 Tomáš Mózes 2022-06-28 11:08:03 UTC
x86: MMIO Stale Data vulnerabilities
https://xenbits.xen.org/xsa/advisory-404.html
Comment 3 Larry the Git Cow gentoo-dev 2022-07-05 16:23:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c7d3fbce66cc7e528ba2d937561febaea5584b4

commit 7c7d3fbce66cc7e528ba2d937561febaea5584b4
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-04 10:52:32 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-05 16:22:27 +0000

    app-emulation/xen: add 4.15.3
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/26217
    Closes: https://github.com/gentoo/gentoo/pull/25839

 app-emulation/xen/xen-4.15.3.ebuild | 183 ++++++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3807633e47f5ccbbd72d25c38de329016067e3d3

commit 3807633e47f5ccbbd72d25c38de329016067e3d3
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-04 10:52:04 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-05 16:20:56 +0000

    app-emulation/xen-tools: add 4.15.3
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                |   1 +
 app-emulation/xen-tools/xen-tools-4.15.3.ebuild | 530 ++++++++++++++++++++++++
 app-emulation/xen/Manifest                      |   1 +
 3 files changed, 532 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b48c2d2662337ed28190d32ad3898686959dccd5

commit b48c2d2662337ed28190d32ad3898686959dccd5
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-04 10:22:01 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-05 16:20:56 +0000

    app-emulation/xen-tools: add 4.16.1, 4.16.2_pre1
    
    This introduces a new approach to handle Xen patching and versioning. SECURITY_VER and
    OVMF_VER where dropped as those have not been used in a while. We now
    consume the upstream patches from a repository called
    xen-upstream-patches, which will ultimately be hosted by Gentoo
    infra (e.g. available under gitweb.gentoo.org). The Gentoo patchset now
    lives in a repository called xen-gentoo-patches, which will also be
    hosted on Gentoo infra.
    
    Furthermore we now follow upstreams versioning scheme. Previously we
    would sell Xen 4.16.2-pre, which is from the staging-4.16 branch
    containing security fixes, as Xen 4.16.1. To avoid confusion, we will
    label the Xen versions as such, and Xen 4.16.1 will what is tagged
    upstream as RELEASE-4.16.1 (+ the few Gentoo specific patches).
    
    Closes: https://bugs.gentoo.org/845099
    Bug: https://bugs.gentoo.org/850802
    Closes: https://github.com/gentoo/gentoo/pull/25839
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                   |   3 +
 app-emulation/xen-tools/xen-tools-4.16.1.ebuild    | 526 +++++++++++++++++++++
 .../xen-tools/xen-tools-4.16.2_pre1.ebuild         | 526 +++++++++++++++++++++
 3 files changed, 1055 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-10 13:47:00 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-07-11 06:45:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44cd2bcd4251add67376396126d7467f217804c5

commit 44cd2bcd4251add67376396126d7467f217804c5
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-11 06:44:13 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-11 06:45:27 +0000

    app-emulation/xen-tools: drop 4.15.2-r2
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                   |   5 -
 app-emulation/xen-tools/xen-tools-4.15.2-r2.ebuild | 555 ---------------------
 2 files changed, 560 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69086d143b2e21748bfc0d7c7878b5fde95134c3

commit 69086d143b2e21748bfc0d7c7878b5fde95134c3
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-11 06:44:59 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-11 06:45:26 +0000

    app-emulation/xen: drop 4.15.2-r2
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest             |   2 -
 app-emulation/xen/xen-4.15.2-r2.ebuild | 163 ---------------------------------
 2 files changed, 165 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-07-11 06:47:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f1e2ba62ae09ecf6339b5fce65958bb07d50a38

commit 3f1e2ba62ae09ecf6339b5fce65958bb07d50a38
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-11 06:47:21 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-11 06:47:21 +0000

    app-emulation/xen-tools: drop 4.16.1
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                |   1 -
 app-emulation/xen-tools/xen-tools-4.16.1.ebuild | 526 ------------------------
 2 files changed, 527 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cf2e7926994172cfb0eb62caabc68b53eb945b7

commit 6cf2e7926994172cfb0eb62caabc68b53eb945b7
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-07-11 06:47:04 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-07-11 06:47:04 +0000

    app-emulation/xen: drop 4.16.1
    
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest          |   1 -
 app-emulation/xen/xen-4.16.1.ebuild | 185 ------------------------------------
 2 files changed, 186 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:51:59 UTC
GLSA request filed
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 14:31:28 UTC
GLSA done, all done.
Comment 9 Larry the Git Cow gentoo-dev 2022-08-14 14:34:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1

commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:28:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/810341
    Bug: https://bugs.gentoo.org/812485
    Bug: https://bugs.gentoo.org/816882
    Bug: https://bugs.gentoo.org/825354
    Bug: https://bugs.gentoo.org/832039
    Bug: https://bugs.gentoo.org/835401
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)