Bug 201931

Summary: sysutils/xen-tools: multiple vulnerabilities (CVE-2015-5154, CVE-2015-5166, CVE-2015-5165)
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Baptiste Daroussin <bapt>
Status: Closed FIXED    
Severity: Affects Some People CC: delphij, feld, junovitch, pgollucci, sbruno
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (bapt)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Fix XSA-138 / CVE-2015-5154
none
security/vuxml for XSA-138 / CVE-2015-5154
none
Poudriere testport from HEAD jail
none
security/vuxml for XSA-139/XSA-140 (CVE-2015-5166 / CVE-2015-5165)
none
sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches
none
Poudriere testport log from HEAD jail none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-07-28 00:48:18 UTC 
Bapt,
The embargo on XSA-138 was lifted today.  See http://xenbits.xen.org/xsa/advisory-138.html.
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-07-30 02:19:04 UTC 
Created attachment 159378 [details]
Fix XSA-138 / CVE-2015-5154

Fix XSA-138 / CVE-2015-5154

PR:		201931
Security:	CVE-2015-5154
Security:	da451130-365d-11e5-a4a5-002590263bf5
MFH:		2015Q3
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-07-30 02:22:19 UTC 
Created attachment 159379 [details]
security/vuxml for XSA-138 / CVE-2015-5154

Log:

Document xen-tools QEMU heap overflow flaw with certain ATAPI commands

PR:		201931
Security:	CVE-2015-5154
Security:	da451130-365d-11e5-a4a5-002590263bf5

Validation:

> make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_8
xen-tools-4.5.0_8 is vulnerable:
xen-tools -- QEMU heap overflow flaw with certain ATAPI commands
CVE: CVE-2015-5154
WWW: https://vuxml.FreeBSD.org/freebsd/da451130-365d-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_9
0 problem(s) in the installed packages found.
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-07-30 02:24:19 UTC 
Created attachment 159380 [details]
Poudriere testport from HEAD jail
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2015-07-30 02:39:01 UTC 
Bapt,
Patches and logs attached to address XSA-138/CVE-2015-5154 which was announced on Monday.  I'm not a Xen user so I've only addressed at build time and not run time.  Hopefully this helps out.  I've marked it for MFH to 2015Q3 as it's for security but I'll note r391737 from earlier this month still needs an MFH to 2015Q3 as well.

I've CC'd my mentors for their awareness but on this one I'm mainly just looking to help do my part in getting the word around and helping us respond to announced security issues.
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-08-04 02:41:46 UTC 
Two additional QEMU related advisories were announced today:

http://xenbits.xen.org/xsa/advisory-139.html
http://xenbits.xen.org/xsa/advisory-140.html
Comment 6 Xin LI freebsd_committer freebsd_triage 2015-08-04 06:59:44 UTC 
(In reply to Jason Unovitch from comment #2)
This is mentor approved (note that you need to bump the entry time to the day you make the commit).
Comment 7 Xin LI freebsd_committer freebsd_triage 2015-08-04 07:52:28 UTC 
Adding sbruno as I think qemu-* is also affected?
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-08-04 10:51:08 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Aug  4 10:50:22 UTC 2015
New revision: 393514
URL: https://svnweb.freebsd.org/changeset/ports/393514

Log:
  Fix XSA-138 / CVE-2015-5154

  PR:		201931
  Security:	CVE-2015-5154
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Approved by:	ports-secteam (delphij), delphij (mentor)
  MFH:		2015Q3

Changes:
  head/sysutils/xen-tools/Makefile
  head/sysutils/xen-tools/files/xsa138-qemut-1.patch
  head/sysutils/xen-tools/files/xsa138-qemut-2.patch
  head/sysutils/xen-tools/files/xsa138-qemuu-1.patch
  head/sysutils/xen-tools/files/xsa138-qemuu-2.patch
  head/sysutils/xen-tools/files/xsa138-qemuu-3.patch
Comment 9 commit-hook freebsd_committer freebsd_triage 2015-08-04 10:57:11 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Aug  4 10:56:25 UTC 2015
New revision: 393515
URL: https://svnweb.freebsd.org/changeset/ports/393515

Log:
  Document xen-tools QEMU heap overflow flaw with certain ATAPI commands

  PR:		201931
  Security:	CVE-2015-5154
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Approved by:	delphij (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-08-04 10:58:02 UTC 
(In reply to Xin LI from comment #6)

Done for XSA-138.

Pending review/testing of the newest XSA-139 and XSA-140.  More to come when that is done.
Comment 11 Jason Unovitch freebsd_committer freebsd_triage 2015-08-15 12:38:03 UTC 
Created attachment 159894 [details]
security/vuxml for XSA-139/XSA-140  (CVE-2015-5166 / CVE-2015-5165)

Document two QEMU related xen-tools security advisories

PR:		201931
Security:	CVE-2015-5166
Security:	ee99899d-4347-11e5-93ad-002590263bf5
Security:	CVE-2015-5165
Security:	f06f20dc-4347-11e5-93ad-002590263bf5

Validation:
% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_9
xen-tools-4.5.0_9 is vulnerable:
xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model
CVE: CVE-2015-5165
WWW: https://vuxml.FreeBSD.org/freebsd/f06f20dc-4347-11e5-93ad-002590263bf5.html

xen-tools-4.5.0_9 is vulnerable:
xen-tools -- use after free in QEMU/Xen block unplug protocol
CVE: CVE-2015-5166
WWW: https://vuxml.FreeBSD.org/freebsd/ee99899d-4347-11e5-93ad-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.1
0 problem(s) in the installed packages found.
Comment 12 Jason Unovitch freebsd_committer freebsd_triage 2015-08-15 12:42:12 UTC 
Created attachment 159897 [details]
sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches

First draft for a fix.  4.5.1 doesn't include the XSA-139/XSA-140 fix, but take the opportunity to update it and clean up while we're here.

Log:
sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches

- Update to 4.5.1
- Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1
- Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1
- Apply patches for XSA-139/XSA-140
- Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint)

PR:		201931
Security:	CVE-2015-5166
Security:	ee99899d-4347-11e5-93ad-002590263bf5
Security:	CVE-2015-5165
Security:	f06f20dc-4347-11e5-93ad-002590263bf5
MFH:		2015Q3


Details:
Comments from http://xenproject.org/downloads/xen-archives/xen-45-series/xen-451.html

"This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59.

Note that the fix for the qemu portion of XSA-135 has not been applied to qemu-traditional due to an oversight."


Portlint before:
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [122]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [126]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [130]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [134]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [138]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [139]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [142]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [146]: installing shared libraries, please define USE_LDCONFIG as appropriate
WARN: Makefile: [66]: IGNORE messages should begin with a lowercase letter and end without a period.
WARN: Makefile: [32]: the options to USES are not sorted.  Please consider sorting them.
WARN: Makefile: [0]: possible direct use of command "patch" found. use ${PATCH} instead.
WARN: Makefile: [0]: possible direct use of command "patch" found. use ${PATCH} instead.
FATAL: Makefile: PORTVERSION appears out-of-order.
FATAL: Makefile: order must be PORTNAME/PORTVERSION/DISTVERSIONPREFIX/DISTVERSION/DISTVERSIONSUFFIX/PORTREVISION/PORTEPOCH/CATEGORIES/MASTER_SITES/MASTER_SITE_SUBDIR/PROJECTHOST/PKGNAMEPREFIX/PKGNAMESUFFIX/DISTNAME/EXTRACT_SUFX/DISTFILES/DIST_SUBDIR/EXTRACT_ONLY.
WARN: Makefile: "LIB_DEPENDS" has to appear earlier.
WARN: Makefile: "BUILD_DEPENDS" has to appear earlier.
2 fatal errors and 14 warnings found.

Portlint after:
looks fine.
Comment 13 Jason Unovitch freebsd_committer freebsd_triage 2015-08-15 12:44:21 UTC 
Created attachment 159898 [details]
Poudriere testport log from HEAD jail

Poudriere:
Do we want to address the STRIP_CMD QA comment for this port?

This is not supported on i386, so the range in Poudriere this was built on follows:
9.3-RELEASE-p21      amd64
10.1-RELEASE-p16     amd64
10.2-RELEASE         amd64
11.0-CURRENT r286208 amd64
Comment 14 Baptiste Daroussin freebsd_committer freebsd_triage 2015-08-16 06:39:46 UTC 
Please do not address the warnings.

Otherwise ok with me, thanks!
Comment 15 commit-hook freebsd_committer freebsd_triage 2015-08-17 13:51:56 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Aug 17 13:51:24 UTC 2015
New revision: 394505
URL: https://svnweb.freebsd.org/changeset/ports/394505

Log:
  Document two QEMU related xen-tools security advisories

  PR:		201931
  Security:	CVE-2015-5166
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Security:	CVE-2015-5165
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 16 commit-hook freebsd_committer freebsd_triage 2015-08-17 13:55:58 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Aug 17 13:55:10 UTC 2015
New revision: 394506
URL: https://svnweb.freebsd.org/changeset/ports/394506

Log:
  sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches

  - Update to 4.5.1
  - Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1
  - Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1
  - Apply patches for XSA-139/XSA-140
  - Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint)

  PR:		201931
  Security:	CVE-2015-5166
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Security:	CVE-2015-5165
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Approved by:	bapt (maintainer), feld (mentor)
  MFH:		2015Q3

Changes:
  head/sysutils/xen-tools/Makefile
  head/sysutils/xen-tools/distinfo
  head/sysutils/xen-tools/files/0001-libelf-fix-elf_parse_bsdsyms-call.patch
  head/sysutils/xen-tools/files/xsa119-unstable.patch
  head/sysutils/xen-tools/files/xsa125.patch
  head/sysutils/xen-tools/files/xsa126-qemut.patch
  head/sysutils/xen-tools/files/xsa126-qemuu.patch
  head/sysutils/xen-tools/files/xsa128-qemut.patch
  head/sysutils/xen-tools/files/xsa128-qemuu.patch
  head/sysutils/xen-tools/files/xsa129-qemut.patch
  head/sysutils/xen-tools/files/xsa129-qemuu.patch
  head/sysutils/xen-tools/files/xsa130-qemut.patch
  head/sysutils/xen-tools/files/xsa130-qemuu.patch
  head/sysutils/xen-tools/files/xsa131-qemut-1.patch
  head/sysutils/xen-tools/files/xsa131-qemut-2.patch
  head/sysutils/xen-tools/files/xsa131-qemut-3.patch
  head/sysutils/xen-tools/files/xsa131-qemut-4.patch
  head/sysutils/xen-tools/files/xsa131-qemut-5.patch
  head/sysutils/xen-tools/files/xsa131-qemut-6.patch
  head/sysutils/xen-tools/files/xsa131-qemut-7.patch
  head/sysutils/xen-tools/files/xsa131-qemut-8.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-1.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-2.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-3.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-4.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-5.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-6.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-7.patch
  head/sysutils/xen-tools/files/xsa131-qemuu-8.patch
  head/sysutils/xen-tools/files/xsa133-qemut.patch
  head/sysutils/xen-tools/files/xsa133-qemuu.patch
  head/sysutils/xen-tools/files/xsa135-qemuu-4.5-1.patch
  head/sysutils/xen-tools/files/xsa135-qemuu-4.5-2.patch
  head/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch
  head/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch
  head/sysutils/xen-tools/pkg-plist
Comment 17 commit-hook freebsd_committer freebsd_triage 2015-08-17 15:17:10 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Aug 17 15:16:51 UTC 2015
New revision: 394516
URL: https://svnweb.freebsd.org/changeset/ports/394516

Log:
  MFH: r393514

  Fix XSA-138 / CVE-2015-5154

  PR:		201931
  Security:	CVE-2015-5154
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Approved by:	ports-secteam (delphij,feld), delphij,feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/sysutils/xen-tools/Makefile
  branches/2015Q3/sysutils/xen-tools/files/xsa138-qemut-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa138-qemut-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-3.patch
Comment 18 commit-hook freebsd_committer freebsd_triage 2015-08-17 15:19:11 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Aug 17 15:18:15 UTC 2015
New revision: 394517
URL: https://svnweb.freebsd.org/changeset/ports/394517

Log:
  MFH: r394506

  sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches

  - Update to 4.5.1
  - Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1
  - Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1
  - Apply patches for XSA-139/XSA-140
  - Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint)

  PR:		201931
  Security:	CVE-2015-5166
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Security:	CVE-2015-5165
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Approved by:	bapt (maintainer), feld (mentor)
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/sysutils/xen-tools/Makefile
  branches/2015Q3/sysutils/xen-tools/distinfo
  branches/2015Q3/sysutils/xen-tools/files/0001-libelf-fix-elf_parse_bsdsyms-call.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa119-unstable.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa125.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa126-qemut.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa126-qemuu.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa128-qemut.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa128-qemuu.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa129-qemut.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa129-qemuu.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa130-qemut.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa130-qemuu.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-3.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-4.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-5.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-6.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-7.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-8.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-3.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-4.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-5.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-6.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-7.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-8.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa133-qemut.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa133-qemuu.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa135-qemuu-4.5-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa135-qemuu-4.5-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch
  branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch
  branches/2015Q3/sysutils/xen-tools/pkg-plist
Comment 19 Jason Unovitch freebsd_committer freebsd_triage 2015-08-18 00:03:22 UTC 
Closing this PR as everything for xen-tools has been completed.

(In reply to Xin LI from comment #7)
I opened bug 202402 to handle the emulators/qemu-devel and emulators/qemu-sbruno updates.