diff options
author | drochner <drochner@pkgsrc.org> | 2013-11-29 19:29:58 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2013-11-29 19:29:58 +0000 |
commit | 0067753b2f68460a832964ffcb5d6da752415edf (patch) | |
tree | e97ff666dd70318d723295db572585cc6e66da4a /sysutils/xenkernel41 | |
parent | a227c9ac8d07e12c41b8fe6260e0b15f70c36242 (diff) | |
download | pkgsrc-0067753b2f68460a832964ffcb5d6da752415edf.tar.gz |
add patches from upstream to fix two security problems:
-another lock inversion
-privilege escalation (not exploitable in standard setups)
bump PKGREV
Diffstat (limited to 'sysutils/xenkernel41')
-rw-r--r-- | sysutils/xenkernel41/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel41/distinfo | 5 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 | 16 | ||||
-rw-r--r-- | sysutils/xenkernel41/patches/patch-CVE-2013-4553 | 33 |
4 files changed, 52 insertions, 6 deletions
diff --git a/sysutils/xenkernel41/Makefile b/sysutils/xenkernel41/Makefile index 59219cd8fa3..ec1e0298372 100644 --- a/sysutils/xenkernel41/Makefile +++ b/sysutils/xenkernel41/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.28 2013/11/23 14:04:59 drochner Exp $ +# $NetBSD: Makefile,v 1.29 2013/11/29 19:29:58 drochner Exp $ # VERSION= 4.1.6.1 DISTNAME= xen-${VERSION} PKGNAME= xenkernel41-${VERSION} -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xenkernel41/distinfo b/sysutils/xenkernel41/distinfo index c494318d881..b28c110bce6 100644 --- a/sysutils/xenkernel41/distinfo +++ b/sysutils/xenkernel41/distinfo @@ -1,16 +1,17 @@ -$NetBSD: distinfo,v 1.22 2013/11/23 14:04:59 drochner Exp $ +$NetBSD: distinfo,v 1.23 2013/11/29 19:29:58 drochner Exp $ SHA1 (xen-4.1.6.1.tar.gz) = e5f15feb0821578817a65ede16110c6eac01abd0 RMD160 (xen-4.1.6.1.tar.gz) = bff11421fc44a26f2cc3156713267abcb36d7a19 Size (xen-4.1.6.1.tar.gz) = 10428485 bytes SHA1 (patch-CVE-2013-1442) = 7aa43513ea7cddc50b4e6802412cfc2903cce8e1 -SHA1 (patch-CVE-2013-4355_1) = 88cc2e7bf0993b2878a864e8b28ed989f8eeef3a +SHA1 (patch-CVE-2013-4355_1) = a28e4fc0cbe5409a759e689ff1af82792f560a39 SHA1 (patch-CVE-2013-4355_2) = 70fd2f2e45a05a53d8ce7d0bd72b18165dd13509 SHA1 (patch-CVE-2013-4355_3) = 93f7bf877945e585fb906dbfc8159e688813c12f SHA1 (patch-CVE-2013-4355_4) = 88f478997d2631ec41adfd42a9d79f2d87bb44d8 SHA1 (patch-CVE-2013-4361) = b9074af976ba98c02aeb84288a10527bf7693241 SHA1 (patch-CVE-2013-4368) = 77caf392b472e5586eb2fa6a37d173cd856f6f15 SHA1 (patch-CVE-2013-4494) = d74dfc898d1128f3c205bd178c8cf663935711e3 +SHA1 (patch-CVE-2013-4553) = 6708dcef1737b119a3fcf2e3414c22c115cbacc1 SHA1 (patch-Config.mk) = a43ed1b3304d6383dc093acd128a7f373d0ca266 SHA1 (patch-xen_Makefile) = d1c7e4860221f93d90818f45a77748882486f92b SHA1 (patch-xen_arch_x86_Rules.mk) = 6b9b4bfa28924f7d3f6c793a389f1a7ac9d228e2 diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 index 7d1bb208e2e..0de188f8dff 100644 --- a/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4355_1 @@ -1,9 +1,12 @@ -$NetBSD: patch-CVE-2013-4355_1,v 1.1 2013/10/01 14:54:44 drochner Exp $ +$NetBSD http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html +also fixes +http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03827.html +(CVE-2013-4554) --- xen/arch/x86/hvm/hvm.c.orig 2013-09-10 06:42:18.000000000 +0000 -+++ xen/arch/x86/hvm/hvm.c 2013-09-30 15:23:07.000000000 +0000 ++++ xen/arch/x86/hvm/hvm.c 2013-11-29 15:12:29.000000000 +0000 @@ -1961,11 +1961,7 @@ void hvm_task_switch( rc = hvm_copy_from_guest_virt( @@ -36,3 +39,12 @@ http://lists.xenproject.org/archives/html/xen-devel/2013-09/msg03160.html goto out; +@@ -2834,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_reg + case 4: + case 2: + hvm_get_segment_register(curr, x86_seg_ss, &sreg); +- if ( unlikely(sreg.attr.fields.dpl == 3) ) ++ if ( unlikely(sreg.attr.fields.dpl) ) + { + default: + regs->eax = -EPERM; diff --git a/sysutils/xenkernel41/patches/patch-CVE-2013-4553 b/sysutils/xenkernel41/patches/patch-CVE-2013-4553 new file mode 100644 index 00000000000..d0bc8108ec5 --- /dev/null +++ b/sysutils/xenkernel41/patches/patch-CVE-2013-4553 @@ -0,0 +1,33 @@ +$NetBSD: patch-CVE-2013-4553,v 1.1 2013/11/29 19:29:58 drochner Exp $ + +http://lists.xenproject.org/archives/html/xen-devel/2013-11/msg03828.html + +--- xen/arch/x86/domctl.c.orig 2013-09-10 06:42:18.000000000 +0000 ++++ xen/arch/x86/domctl.c 2013-11-29 15:19:13.000000000 +0000 +@@ -383,6 +383,26 @@ long arch_do_domctl( + break; + } + ++ /* ++ * XSA-74: This sub-hypercall is broken in several ways: ++ * - lock order inversion (p2m locks inside page_alloc_lock) ++ * - no preemption on huge max_pfns input ++ * - not (re-)checking d->is_dying with page_alloc_lock held ++ * - not honoring start_pfn input (which libxc also doesn't set) ++ * Additionally it is rather useless, as the result is stale by ++ * the time the caller gets to look at it. ++ * As it only has a single, non-production consumer (xen-mceinj), ++ * rather than trying to fix it we restrict it for the time being. ++ */ ++ if ( /* No nested locks inside copy_to_guest_offset(). */ ++ paging_mode_external(current->domain) || ++ /* Arbitrary limit capping processing time. */ ++ max_pfns > GB(4) / PAGE_SIZE ) ++ { ++ ret = -EOPNOTSUPP; ++ break; ++ } ++ + spin_lock(&d->page_alloc_lock); + + if ( unlikely(d->is_dying) ) { |