Summary: | sysutils/xen-tools: multiple vulnerabilities (CVE-2015-5154, CVE-2015-5166, CVE-2015-5165) | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> |
Component: | Individual Port(s) | Assignee: | Baptiste Daroussin <bapt> |
Status: | Closed FIXED | ||
Severity: | Affects Some People | CC: | delphij, feld, junovitch, pgollucci, sbruno |
Priority: | --- | Keywords: | security |
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(bapt) |
Hardware: | Any | ||
OS: | Any | ||
Attachments: |
Description
Jason Unovitch
2015-07-28 00:48:18 UTC
Created attachment 159378 [details]
Fix XSA-138 / CVE-2015-5154
Fix XSA-138 / CVE-2015-5154
PR: 201931
Security: CVE-2015-5154
Security: da451130-365d-11e5-a4a5-002590263bf5
MFH: 2015Q3
Created attachment 159379 [details] security/vuxml for XSA-138 / CVE-2015-5154 Log: Document xen-tools QEMU heap overflow flaw with certain ATAPI commands PR: 201931 Security: CVE-2015-5154 Security: da451130-365d-11e5-a4a5-002590263bf5 Validation: > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_8 xen-tools-4.5.0_8 is vulnerable: xen-tools -- QEMU heap overflow flaw with certain ATAPI commands CVE: CVE-2015-5154 WWW: https://vuxml.FreeBSD.org/freebsd/da451130-365d-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_9 0 problem(s) in the installed packages found. Created attachment 159380 [details]
Poudriere testport from HEAD jail
Bapt, Patches and logs attached to address XSA-138/CVE-2015-5154 which was announced on Monday. I'm not a Xen user so I've only addressed at build time and not run time. Hopefully this helps out. I've marked it for MFH to 2015Q3 as it's for security but I'll note r391737 from earlier this month still needs an MFH to 2015Q3 as well. I've CC'd my mentors for their awareness but on this one I'm mainly just looking to help do my part in getting the word around and helping us respond to announced security issues. Two additional QEMU related advisories were announced today: http://xenbits.xen.org/xsa/advisory-139.html http://xenbits.xen.org/xsa/advisory-140.html (In reply to Jason Unovitch from comment #2) This is mentor approved (note that you need to bump the entry time to the day you make the commit). Adding sbruno as I think qemu-* is also affected? A commit references this bug: Author: junovitch Date: Tue Aug 4 10:50:22 UTC 2015 New revision: 393514 URL: https://svnweb.freebsd.org/changeset/ports/393514 Log: Fix XSA-138 / CVE-2015-5154 PR: 201931 Security: CVE-2015-5154 Security: da451130-365d-11e5-a4a5-002590263bf5 Approved by: ports-secteam (delphij), delphij (mentor) MFH: 2015Q3 Changes: head/sysutils/xen-tools/Makefile head/sysutils/xen-tools/files/xsa138-qemut-1.patch head/sysutils/xen-tools/files/xsa138-qemut-2.patch head/sysutils/xen-tools/files/xsa138-qemuu-1.patch head/sysutils/xen-tools/files/xsa138-qemuu-2.patch head/sysutils/xen-tools/files/xsa138-qemuu-3.patch A commit references this bug: Author: junovitch Date: Tue Aug 4 10:56:25 UTC 2015 New revision: 393515 URL: https://svnweb.freebsd.org/changeset/ports/393515 Log: Document xen-tools QEMU heap overflow flaw with certain ATAPI commands PR: 201931 Security: CVE-2015-5154 Security: da451130-365d-11e5-a4a5-002590263bf5 Approved by: delphij (mentor) Changes: head/security/vuxml/vuln.xml (In reply to Xin LI from comment #6) Done for XSA-138. Pending review/testing of the newest XSA-139 and XSA-140. More to come when that is done. Created attachment 159894 [details] security/vuxml for XSA-139/XSA-140 (CVE-2015-5166 / CVE-2015-5165) Document two QEMU related xen-tools security advisories PR: 201931 Security: CVE-2015-5166 Security: ee99899d-4347-11e5-93ad-002590263bf5 Security: CVE-2015-5165 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Validation: % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.0_9 xen-tools-4.5.0_9 is vulnerable: xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model CVE: CVE-2015-5165 WWW: https://vuxml.FreeBSD.org/freebsd/f06f20dc-4347-11e5-93ad-002590263bf5.html xen-tools-4.5.0_9 is vulnerable: xen-tools -- use after free in QEMU/Xen block unplug protocol CVE: CVE-2015-5166 WWW: https://vuxml.FreeBSD.org/freebsd/ee99899d-4347-11e5-93ad-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit xen-tools-4.5.1 0 problem(s) in the installed packages found. Created attachment 159897 [details] sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches First draft for a fix. 4.5.1 doesn't include the XSA-139/XSA-140 fix, but take the opportunity to update it and clean up while we're here. Log: sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches - Update to 4.5.1 - Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1 - Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1 - Apply patches for XSA-139/XSA-140 - Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint) PR: 201931 Security: CVE-2015-5166 Security: ee99899d-4347-11e5-93ad-002590263bf5 Security: CVE-2015-5165 Security: f06f20dc-4347-11e5-93ad-002590263bf5 MFH: 2015Q3 Details: Comments from http://xenproject.org/downloads/xen-archives/xen-45-series/xen-451.html "This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59. Note that the fix for the qemu portion of XSA-135 has not been applied to qemu-traditional due to an oversight." Portlint before: WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [122]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [126]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [130]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [134]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [138]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [139]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [142]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: /usr/ports/sysutils/xen-tools/pkg-plist: [146]: installing shared libraries, please define USE_LDCONFIG as appropriate WARN: Makefile: [66]: IGNORE messages should begin with a lowercase letter and end without a period. WARN: Makefile: [32]: the options to USES are not sorted. Please consider sorting them. WARN: Makefile: [0]: possible direct use of command "patch" found. use ${PATCH} instead. WARN: Makefile: [0]: possible direct use of command "patch" found. use ${PATCH} instead. FATAL: Makefile: PORTVERSION appears out-of-order. FATAL: Makefile: order must be PORTNAME/PORTVERSION/DISTVERSIONPREFIX/DISTVERSION/DISTVERSIONSUFFIX/PORTREVISION/PORTEPOCH/CATEGORIES/MASTER_SITES/MASTER_SITE_SUBDIR/PROJECTHOST/PKGNAMEPREFIX/PKGNAMESUFFIX/DISTNAME/EXTRACT_SUFX/DISTFILES/DIST_SUBDIR/EXTRACT_ONLY. WARN: Makefile: "LIB_DEPENDS" has to appear earlier. WARN: Makefile: "BUILD_DEPENDS" has to appear earlier. 2 fatal errors and 14 warnings found. Portlint after: looks fine. Created attachment 159898 [details]
Poudriere testport log from HEAD jail
Poudriere:
Do we want to address the STRIP_CMD QA comment for this port?
This is not supported on i386, so the range in Poudriere this was built on follows:
9.3-RELEASE-p21 amd64
10.1-RELEASE-p16 amd64
10.2-RELEASE amd64
11.0-CURRENT r286208 amd64
Please do not address the warnings. Otherwise ok with me, thanks! A commit references this bug: Author: junovitch Date: Mon Aug 17 13:51:24 UTC 2015 New revision: 394505 URL: https://svnweb.freebsd.org/changeset/ports/394505 Log: Document two QEMU related xen-tools security advisories PR: 201931 Security: CVE-2015-5166 Security: ee99899d-4347-11e5-93ad-002590263bf5 Security: CVE-2015-5165 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: junovitch Date: Mon Aug 17 13:55:10 UTC 2015 New revision: 394506 URL: https://svnweb.freebsd.org/changeset/ports/394506 Log: sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches - Update to 4.5.1 - Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1 - Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1 - Apply patches for XSA-139/XSA-140 - Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint) PR: 201931 Security: CVE-2015-5166 Security: ee99899d-4347-11e5-93ad-002590263bf5 Security: CVE-2015-5165 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Approved by: bapt (maintainer), feld (mentor) MFH: 2015Q3 Changes: head/sysutils/xen-tools/Makefile head/sysutils/xen-tools/distinfo head/sysutils/xen-tools/files/0001-libelf-fix-elf_parse_bsdsyms-call.patch head/sysutils/xen-tools/files/xsa119-unstable.patch head/sysutils/xen-tools/files/xsa125.patch head/sysutils/xen-tools/files/xsa126-qemut.patch head/sysutils/xen-tools/files/xsa126-qemuu.patch head/sysutils/xen-tools/files/xsa128-qemut.patch head/sysutils/xen-tools/files/xsa128-qemuu.patch head/sysutils/xen-tools/files/xsa129-qemut.patch head/sysutils/xen-tools/files/xsa129-qemuu.patch head/sysutils/xen-tools/files/xsa130-qemut.patch head/sysutils/xen-tools/files/xsa130-qemuu.patch head/sysutils/xen-tools/files/xsa131-qemut-1.patch head/sysutils/xen-tools/files/xsa131-qemut-2.patch head/sysutils/xen-tools/files/xsa131-qemut-3.patch head/sysutils/xen-tools/files/xsa131-qemut-4.patch head/sysutils/xen-tools/files/xsa131-qemut-5.patch head/sysutils/xen-tools/files/xsa131-qemut-6.patch head/sysutils/xen-tools/files/xsa131-qemut-7.patch head/sysutils/xen-tools/files/xsa131-qemut-8.patch head/sysutils/xen-tools/files/xsa131-qemuu-1.patch head/sysutils/xen-tools/files/xsa131-qemuu-2.patch head/sysutils/xen-tools/files/xsa131-qemuu-3.patch head/sysutils/xen-tools/files/xsa131-qemuu-4.patch head/sysutils/xen-tools/files/xsa131-qemuu-5.patch head/sysutils/xen-tools/files/xsa131-qemuu-6.patch head/sysutils/xen-tools/files/xsa131-qemuu-7.patch head/sysutils/xen-tools/files/xsa131-qemuu-8.patch head/sysutils/xen-tools/files/xsa133-qemut.patch head/sysutils/xen-tools/files/xsa133-qemuu.patch head/sysutils/xen-tools/files/xsa135-qemuu-4.5-1.patch head/sysutils/xen-tools/files/xsa135-qemuu-4.5-2.patch head/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch head/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch head/sysutils/xen-tools/pkg-plist A commit references this bug: Author: junovitch Date: Mon Aug 17 15:16:51 UTC 2015 New revision: 394516 URL: https://svnweb.freebsd.org/changeset/ports/394516 Log: MFH: r393514 Fix XSA-138 / CVE-2015-5154 PR: 201931 Security: CVE-2015-5154 Security: da451130-365d-11e5-a4a5-002590263bf5 Approved by: ports-secteam (delphij,feld), delphij,feld (mentor) Changes: _U branches/2015Q3/ branches/2015Q3/sysutils/xen-tools/Makefile branches/2015Q3/sysutils/xen-tools/files/xsa138-qemut-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa138-qemut-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa138-qemuu-3.patch A commit references this bug: Author: junovitch Date: Mon Aug 17 15:18:15 UTC 2015 New revision: 394517 URL: https://svnweb.freebsd.org/changeset/ports/394517 Log: MFH: r394506 sysutils/xen-tools: Update to 4.5.1 and apply XSA-139/XSA-140 patches - Update to 4.5.1 - Remove XSA-117 to XSA-136 and elf_parse_bsdsyms patches now part of 4.5.1 - Leave XSA-135 QEMU traditional patches due an oversight in 4.5.1 - Apply patches for XSA-139/XSA-140 - Set USE_LDCONFIG, sort USES, use ${PATCH}, and reorder Makefile (portlint) PR: 201931 Security: CVE-2015-5166 Security: ee99899d-4347-11e5-93ad-002590263bf5 Security: CVE-2015-5165 Security: f06f20dc-4347-11e5-93ad-002590263bf5 Approved by: bapt (maintainer), feld (mentor) Approved by: ports-secteam (feld) Changes: _U branches/2015Q3/ branches/2015Q3/sysutils/xen-tools/Makefile branches/2015Q3/sysutils/xen-tools/distinfo branches/2015Q3/sysutils/xen-tools/files/0001-libelf-fix-elf_parse_bsdsyms-call.patch branches/2015Q3/sysutils/xen-tools/files/xsa119-unstable.patch branches/2015Q3/sysutils/xen-tools/files/xsa125.patch branches/2015Q3/sysutils/xen-tools/files/xsa126-qemut.patch branches/2015Q3/sysutils/xen-tools/files/xsa126-qemuu.patch branches/2015Q3/sysutils/xen-tools/files/xsa128-qemut.patch branches/2015Q3/sysutils/xen-tools/files/xsa128-qemuu.patch branches/2015Q3/sysutils/xen-tools/files/xsa129-qemut.patch branches/2015Q3/sysutils/xen-tools/files/xsa129-qemuu.patch branches/2015Q3/sysutils/xen-tools/files/xsa130-qemut.patch branches/2015Q3/sysutils/xen-tools/files/xsa130-qemuu.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-3.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-4.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-5.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-6.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-7.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemut-8.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-3.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-4.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-5.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-6.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-7.patch branches/2015Q3/sysutils/xen-tools/files/xsa131-qemuu-8.patch branches/2015Q3/sysutils/xen-tools/files/xsa133-qemut.patch branches/2015Q3/sysutils/xen-tools/files/xsa133-qemuu.patch branches/2015Q3/sysutils/xen-tools/files/xsa135-qemuu-4.5-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa135-qemuu-4.5-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch branches/2015Q3/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch branches/2015Q3/sysutils/xen-tools/pkg-plist Closing this PR as everything for xen-tools has been completed. (In reply to Xin LI from comment #7) I opened bug 202402 to handle the emulators/qemu-devel and emulators/qemu-sbruno updates. |