Univention Bugzilla – Bug 38565
xen: Multiple issues (3.2)
Last modified: 2015-09-23 13:14:46 CEST
Unfixed issues remaining in xen-4.1.3 for UCS-3.2-6 from Bug #38173: Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752) HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152) Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340) +++ This bug was initially created as a clone of Bug #38173 +++
* Denial of service (host interrupt handling confusion) due to potential unintended writes to host MSI message data field via qemu by untrusted guest administrators (CVE-2015-4103) * Denial of service (unexpected interrupt and host crash) due to PCI MSI mask bits inadvertently exposed to guests (CVE-2015-4104) * Denial of service due to guest triggerable qemu MSI-X pass-through error messages filling up the host storage (CVE-2015-4105) * Unmediated PCI register access in qemu possibly allows privilege escalation, host crash (Denial of Service), and leaked information (CVE-2015-4106)
* A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209) * The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set (CVE-2015-4164)
* xl command line config handling stack overflow (CVE-2015-3259)
r63808 | Bug #35104: xenstored crash SEGV, Bug #38565: xen: Multiple issues Renamed patches ; Use "git build package patch quete" (gbp-pq) from ~phahn/src/extern/xen Applied patches for CVEs mentioned in this bug report Applied patch for Bug #35104 Fixed build system for parallel build: *-stamp did not work Package: xen-4.1 Version: 4.1.3-21.52.201509171449 Branch: ucs_3.2-0 Scope: errata3.2-7 r63809 | Bug #35104: xenstored crash SEGV, Bug #38565: xen: Multiple issues YAML 2015-09-17-xen-4.1.yaml OK: @xen13 OK: xm list OK: virsh list OK: uvmm ... OK: ucs-3.2 OK: ucs-4.0 OK: w2k8r2 FYI: w2k12 blue sceeen, but VM might be corrupt Already fixed ============= ALREADY-FIXED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=fa957039018e1470737e785d849e5eee12ae3786 CVE-2013-4494 / XSA-73 Fixed imcompletely ================== FIXED Missing eefac7560f9a23e9330c04fe50e1185a1739a18d after 18c40b58752701b7a08e8394aa614cd4f6e21707 for XSA-27 / CVE-2012-5511 (Bug #29183) Missed ====== ADDED CVE-2013-2212 was claimed as an unfixable hardware limitation (Bug #31395) ADDED CVE-2015-2756 was claimed to not be present (Bug #25434) ADDED CVE-2015-5154 is also present (Bug #25434) Fixed in stable-4.1 =================== CVEs ---- ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5cd1c730438c3c2cf164dd99a93627d3bcef2b9f XSA-72 / CVE-2013-4416 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=21c17c15931f1dcb3da5520d8d542e973098297d CVE-2013-4554 / XSA-76 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5891e7c1541199350c0f23452f4487a679037f03 CVE-2013-6885 / XSA-82 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=934858f00267a92bc2a2995a0c634d02d2c60fbd CVE-2013-6885 / XSA-82 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=649e7ae0df99ffb5bccc17b4cb139c46ce2359a2 CVE-2013-2212 / XSA-60 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=8829f8e3a6aff06f800c32841418afe98f0825bb CVE-2013-2212 / XSA-60 ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=684b40eb41c3d5eba55ad94b36fa3702c7720fe1 CVE-2013-2212 / XSA-60 XSAs ---- ADDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=fa1bde94493ee9fc66ce6f33ed434a9d7133c896 XSA-87 CVE-2014-1666 NO-NEEDED http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=f0d0e5efe15a8ce53eaaeee64cf568358ec197ca XSA-84 CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894 XSM_ENABLE=n Open ==== <https://forge.univention.org/bugzilla/show_bug.cgi?id=38565> * Denial of service against host by malicious HVM guest with assigned PCI device with pass-through (Long latency MMIO mapping operations are not preemptible) (CVE-2015-2752) XSA-125 Commit-4.2: e3bfa4003ceaa2746cdd77655953ab2601acaf9c * HVM qemu unexpectedly enabling emulated VGA graphics backends (CVE-2015-2152) XSA-119 Commit-4.2: 5bec01c19839e150e489dd04376c65f961830c86 * Information leak through XEN_DOMCTL_gettscinfo (CVE-2015-3340) XSA-132 Commit-4.2: 7e527e2ab6c95ef84035d02e9e50b956a0d469c9 * Denial of service (host interrupt handling confusion) due to potential unintended writes to host MSI message data field via qemu by untrusted guest administrators (CVE-2015-4103) XSA-128 http://xenbits.xen.org/xsa/xsa128-qemut.patch * Denial of service (unexpected interrupt and host crash) due to PCI MSI mask bits inadvertently exposed to guests (CVE-2015-4104) XSA-129 http://xenbits.xen.org/xsa/xsa129-qemut.patch * Denial of service due to guest triggerable qemu MSI-X pass-through error messages filling up the host storage (CVE-2015-4105) XSA-130 http://xenbits.xen.org/xsa/xsa130-qemut.patch * Unmediated PCI register access in qemu possibly allows privilege escalation, host crash (Denial of Service), and leaked information (CVE-2015-4106) XSA-131 http://xenbits.xen.org/xsa/xsa131-qemut-4.2-1.patch http://xenbits.xen.org/xsa/xsa131-qemut-2.patch http://xenbits.xen.org/xsa/xsa131-qemut-3.patch http://xenbits.xen.org/xsa/xsa131-qemut-4.patch http://xenbits.xen.org/xsa/xsa131-qemut-5.patch http://xenbits.xen.org/xsa/xsa131-qemut-6.patch http://xenbits.xen.org/xsa/xsa131-qemut-7.patch http://xenbits.xen.org/xsa/xsa131-qemut-8.patch * A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209) XSA-135 http://xenbits.xen.org/xsa/xsa135-qemut-1.patch http://xenbits.xen.org/xsa/xsa135-qemut-2.patch * The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set (CVE-2015-4164) XSA-136 http://xenbits.xen.org/xsa/xsa136.patch Commit-4.2: 21a8344ca38a2797a13b4bf57031b6f49ae12ccb * xl command line config handling stack overflow (CVE-2015-3259) XSA-137 Commit-4.2: b20c28064c54d345f366528a0f452ad14911e146 New === <http://xenbits.xen.org/xsa/> NOT-VULNERABLE XSA-139 CVE-2015-5166 TODO XSA-140 CVE-2015-5165 http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-1.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-2.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-3.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-4.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-5.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-6.patch http://xenbits.xen.org/xsa/xsa140-qemuu-unstable-7.patch NOT-VULNERABLE XSA-141 CVE-2015-6654
OK: Patches adapted OK: Patches included in build OK: YAML (minor change in r63881) OK: Also release for UCS 3.2-6 OK: VM state after update @xen1; (UCS, w2k3, w2k12) OK: xm, virsh, uvmm -> Verified
<http://errata.software-univention.de/ucs/3.2/372.html>