Bug 201416

Summary: sysutils/xen-tools: XSA-137 xl command line config handling stack overflow
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Baptiste Daroussin <bapt>
Status: Closed FIXED    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (bapt)
Priority: ---    
Version: Latest   
Hardware: amd64   
OS: Any   
Attachments:
Description Flags
With patch from http://xenbits.xen.org/xsa/xsa137.patch
none
Poudriere log for xen-tools-4.5.0_8 with XSA-137 patch
none
security/vuxml update for xen
none
security/vuxml for XSA-135 none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-07-08 02:05:28 UTC 
Created attachment 158521 [details]
With patch from http://xenbits.xen.org/xsa/xsa137.patch

Notification regarding XSA-137 / CVE-2015-3259 for "xl command line config handling stack overflow"
http://xenbits.xen.org/xsa/advisory-137.html
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-07-08 02:07:08 UTC 
Created attachment 158522 [details]
Poudriere log for xen-tools-4.5.0_8 with XSA-137 patch

Build test on 11.0-CURRENT r284725 amd64

I don't use Xen and am unable to test runtime.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-07-08 02:08:27 UTC 
Is there a reason most of the recent sysutils/xen-tools and emulators/xen-kernel CVE's haven't been addressed with VuXML?  Perhaps because it's only supported on CURRENT?  I can look into addressing this if desired.
Comment 3 Baptiste Daroussin freebsd_committer freebsd_triage 2015-07-11 12:59:58 UTC 
thanks on the update, the reason for vuxml is just that I forgot to add those, if you want to provide a patch to document the previous issues I would be very thankful!
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-07-11 13:17:09 UTC 
A commit references this bug:

Author: bapt
Date: Sat Jul 11 13:16:47 UTC 2015
New revision: 391737
URL: https://svnweb.freebsd.org/changeset/ports/391737

Log:
  Fix XSA-137 / CVE-2015-3259

  PR:		201416
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>

Changes:
  head/sysutils/xen-tools/Makefile
  head/sysutils/xen-tools/files/xsa137.patch
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-07-11 17:18:36 UTC 
Created attachment 158621 [details]
security/vuxml update for xen

- Document xen-tools and xen-kernel advisories XSA-117,118,119,121,122,123,125,126,128,129,130,131,132,134,136,137

== Validation ==

% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

== BEFORE ==

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0
xen-tools-4.5.0 is vulnerable:
xen-tools -- Unmediated PCI register access in qemu
CVE: CVE-2015-4106
WWW: https://vuxml.FreeBSD.org/freebsd/3d657340-27ea-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- PCI MSI mask bits inadvertently exposed to guests
CVE: CVE-2015-4104
WWW: https://vuxml.FreeBSD.org/freebsd/4db8a0f4-27e9-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- Guest triggerable qemu MSI-X pass-through error messages
CVE: CVE-2015-4105
WWW: https://vuxml.FreeBSD.org/freebsd/cbe1a0f9-27e9-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends
CVE: CVE-2015-2152
WWW: https://vuxml.FreeBSD.org/freebsd/0d732fd1-27e0-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- xl command line config handling stack overflow
CVE: CVE-2015-3259
WWW: https://vuxml.FreeBSD.org/freebsd/f1deed23-27ec-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- Unmediated PCI command register access in qemu
CVE: CVE-2015-2756
WWW: https://vuxml.FreeBSD.org/freebsd/79f401cd-27e6-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
qemu, xen and VirtualBox OSE -- possible VM escape and code execution ("VENOM")
CVE: CVE-2015-3456
WWW: https://vuxml.FreeBSD.org/freebsd/2780e442-fc59-11e4-b18b-6805ca1d3bb1.html

xen-tools-4.5.0 is vulnerable:
xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible
CVE: CVE-2015-2752
WWW: https://vuxml.FreeBSD.org/freebsd/d40c66cb-27e4-11e5-a4a5-002590263bf5.html

xen-tools-4.5.0 is vulnerable:
xen-tools -- Potential unintended writes to host MSI message data field via qemu
CVE: CVE-2015-4103
WWW: https://vuxml.FreeBSD.org/freebsd/af38cfec-27e7-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.


% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-kernel-4.5.0
xen-kernel-4.5.0 is vulnerable:
xen-kernel -- Information leak through version information hypercall
CVE: CVE-2015-2045
WWW: https://vuxml.FreeBSD.org/freebsd/ef9d041e-27e2-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated
CVE: CVE-2015-0268
WWW: https://vuxml.FreeBSD.org/freebsd/785c86b1-27d6-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging
CVE: CVE-2015-1563
WWW: https://vuxml.FreeBSD.org/freebsd/912cb7f7-27df-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- Information leak via internal x86 system device emulation
CVE: CVE-2015-2044
WWW: https://vuxml.FreeBSD.org/freebsd/5023f559-27e2-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- Certain domctl operations may be abused to lock up the host
CVE: CVE-2015-2751
WWW: https://vuxml.FreeBSD.org/freebsd/103a47d5-27e7-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- vulnerability in the iret hypercall handler
CVE: CVE-2015-4164
WWW: https://vuxml.FreeBSD.org/freebsd/8c31b288-27ec-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior
CVE: CVE-2015-4163
WWW: https://vuxml.FreeBSD.org/freebsd/80e846ff-27eb-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible
CVE: CVE-2015-2752
WWW: https://vuxml.FreeBSD.org/freebsd/d40c66cb-27e4-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo
CVE: CVE-2015-3340
WWW: https://vuxml.FreeBSD.org/freebsd/ce658051-27ea-11e5-a4a5-002590263bf5.html

xen-kernel-4.5.0 is vulnerable:
xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw
CVE: CVE-2015-2151
WWW: https://vuxml.FreeBSD.org/freebsd/83a28417-27e3-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.


== AFTER ==

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-kernel-4.5.0_3
0 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_8
0 problem(s) in the installed packages found.
Comment 6 Baptiste Daroussin freebsd_committer freebsd_triage 2015-07-11 17:21:54 UTC 
It is in, thank you very much!
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-07-11 17:22:09 UTC 
A commit references this bug:

Author: bapt
Date: Sat Jul 11 17:21:35 UTC 2015
New revision: 391764
URL: https://svnweb.freebsd.org/changeset/ports/391764

Log:
  Document all recent xen-kernel and xen-tools security issues

  PR:		201416
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2015-07-11 17:23:01 UTC 
Created attachment 158622 [details]
security/vuxml for XSA-135

- Add xen-tools to the list of packages fixed in existing XSA-136 / CVE-2015-4164 entry
Comment 9 Jason Unovitch freebsd_committer freebsd_triage 2015-07-11 17:24:13 UTC 
(In reply to Baptiste Daroussin from comment #6)

Thanks!  That was quick. The second one was to modify the existing entry for XSA-135.  Didn't want to clutter the already big patch for the additions.

It should be much easier keeping this updated moving forward now.
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-07-11 17:25:26 UTC 
(In reply to Jason Unovitch from comment #8)

Comment 8 should say:

- Add xen-tools to the list of packages fixed in existing XSA-135 / CVE-2015-3209 entry
Comment 11 commit-hook freebsd_committer freebsd_triage 2015-07-11 17:29:11 UTC 
A commit references this bug:

Author: bapt
Date: Sat Jul 11 17:29:04 UTC 2015
New revision: 391765
URL: https://svnweb.freebsd.org/changeset/ports/391765

Log:
  - Add xen-tools to the list of packages fixed in existing
  XSA-135 / CVE-2015-3209 entry

  PR:		201416
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-08-17 15:16:08 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Aug 17 15:15:17 UTC 2015
New revision: 394515
URL: https://svnweb.freebsd.org/changeset/ports/394515

Log:
  MFH: r391737

  Fix XSA-137 / CVE-2015-3259

  PR:		201416
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>
  Approved by:	ports-secteam (feld), feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/sysutils/xen-tools/Makefile
  branches/2015Q3/sysutils/xen-tools/files/xsa137.patch