diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2014-02-07 08:21:21 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2014-02-07 08:21:21 +0000 |
| commit | 17d96505ca9f0fb87cd0cd4fca4548a6e3aace4c (patch) | |
| tree | 79516710d91e9ab4167d3120313bc8c9ee4b2f48 /app-emulation/xen | |
| parent | Version bump. (diff) | |
| download | gentoo-2-17d96505ca9f0fb87cd0cd4fca4548a6e3aace4c.tar.gz gentoo-2-17d96505ca9f0fb87cd0cd4fca4548a6e3aace4c.tar.bz2 gentoo-2-17d96505ca9f0fb87cd0cd4fca4548a6e3aace4c.zip | |
revbumps; Sec patches XSA 84, 85 added wrt Sec. Bugs #500536, 500528, rm old
(Portage version: 2.2.8/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation/xen')
| -rw-r--r-- | app-emulation/xen/ChangeLog | 10 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4.3-CVE-2014-263-XSA-84-85.patch | 188 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.2.2-r4.ebuild (renamed from app-emulation/xen/xen-4.2.2-r3.ebuild) | 7 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.1-r5.ebuild (renamed from app-emulation/xen/xen-4.3.1-r4.ebuild) | 7 |
4 files changed, 205 insertions, 7 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index 7e314c0b9375..01a1a9ac25a7 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.145 2014/01/24 15:37:31 dlan Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.146 2014/02/07 08:21:21 idella4 Exp $ + +*xen-4.3.1-r5 (07 Feb 2014) +*xen-4.2.2-r4 (07 Feb 2014) + + 07 Feb 2014; Ian Delaney <idella4@gentoo.org> + +files/xen-4.3-CVE-2014-263-XSA-84-85.patch, +xen-4.2.2-r4.ebuild, + +xen-4.3.1-r5.ebuild, -xen-4.2.2-r3.ebuild, -xen-4.3.1-r4.ebuild: + revbumps; Sec patches XSA 84, 85 added wrt Sec. Bugs #500536, 500528, rm old 24 Jan 2014; Yixun Lan <dlan@gentoo.org> -xen-4.2.2-r2.ebuild, -xen-4.3.0-r5.ebuild, -xen-4.3.0-r6.ebuild, -xen-4.3.1-r2.ebuild, diff --git a/app-emulation/xen/files/xen-4.3-CVE-2014-263-XSA-84-85.patch b/app-emulation/xen/files/xen-4.3-CVE-2014-263-XSA-84-85.patch new file mode 100644 index 000000000000..3c44c353c9fc --- /dev/null +++ b/app-emulation/xen/files/xen-4.3-CVE-2014-263-XSA-84-85.patch @@ -0,0 +1,188 @@ +From: Xen.org security team <security () xen org> +Date: Thu, 06 Feb 2014 14:18:48 +0000 + +flask: fix reading strings from guest memory + +Since the string size is being specified by the guest, we must range +check it properly before doing allocations based on it. While for the +two cases that are exposed only to trusted guests (via policy +restriction) this just uses an arbitrary upper limit (PAGE_SIZE), for +the FLASK_[GS]ETBOOL case (which any guest can use) the upper limit +gets enforced based on the longest name across all boolean settings. + +This is XSA-84. + +Reported-by: Matthew Daley <mattd@bugfuzz.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> +=================================================================== +From: Xen.org security team <security () xen org> +Date: Thu, 06 Feb 2014 12:38:51 +0000 + +From 593bc8c63d582ec0fc2b3a35336106cf9c3a8b34 Mon Sep 17 00:00:00 2001 +From: Matthew Daley <mattd@bugfuzz.com> +Date: Sun, 12 Jan 2014 14:29:32 +1300 +Subject: [PATCH] xsm/flask: correct off-by-one in + flask_security_avc_cachestats cpu id check + +This is XSA-85 + +Signed-off-by: Matthew Daley <mattd@bugfuzz.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Ian Campbell <ian.campbell@citrix.com> +--- + xen/xsm/flask/flask_op.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c +index 4426ab9..22878f5 100644 +--- a/xen/xsm/flask/flask_op.c ++++ b/xen/xsm/flask/flask_op.c +@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(sel_sem); + /* global data for booleans */ + static int bool_num = 0; + static int *bool_pending_values = NULL; ++static size_t bool_maxstr; + static int flask_security_make_bools(void); + + extern int ss_initialized; +@@ -71,9 +72,15 @@ static int domain_has_security(struct do + perms, NULL); + } + +-static int flask_copyin_string(XEN_GUEST_HANDLE_PARAM(char) u_buf, char **buf, uint32_t size) ++static int flask_copyin_string(XEN_GUEST_HANDLE_PARAM(char) u_buf, char **buf, ++ size_t size, size_t max_size) + { +- char *tmp = xmalloc_bytes(size + 1); ++ char *tmp; ++ ++ if ( size > max_size ) ++ return -ENOENT; ++ ++ tmp = xmalloc_array(char, size + 1); + if ( !tmp ) + return -ENOMEM; + +@@ -99,7 +106,7 @@ static int flask_security_user(struct xe + if ( rv ) + return rv; + +- rv = flask_copyin_string(arg->u.user, &user, arg->size); ++ rv = flask_copyin_string(arg->u.user, &user, arg->size, PAGE_SIZE); + if ( rv ) + return rv; + +@@ -210,7 +217,7 @@ static int flask_security_context(struct + if ( rv ) + return rv; + +- rv = flask_copyin_string(arg->context, &buf, arg->size); ++ rv = flask_copyin_string(arg->context, &buf, arg->size, PAGE_SIZE); + if ( rv ) + return rv; + +@@ -303,7 +310,7 @@ static int flask_security_resolve_bool(s + if ( arg->bool_id != -1 ) + return 0; + +- rv = flask_copyin_string(arg->name, &name, arg->size); ++ rv = flask_copyin_string(arg->name, &name, arg->size, bool_maxstr); + if ( rv ) + return rv; + +@@ -334,7 +341,7 @@ static int flask_security_set_bool(struc + int num; + int *values; + +- rv = security_get_bools(&num, NULL, &values); ++ rv = security_get_bools(&num, NULL, &values, NULL); + if ( rv != 0 ) + goto out; + +@@ -440,7 +447,7 @@ static int flask_security_make_bools(voi + + xfree(bool_pending_values); + +- ret = security_get_bools(&num, NULL, &values); ++ ret = security_get_bools(&num, NULL, &values, &bool_maxstr); + if ( ret != 0 ) + goto out; + +@@ -457,7 +457,7 @@ static int flask_security_avc_cachestats(struct xen_flask_cache_stats *arg) + { + struct avc_cache_stats *st; + +- if ( arg->cpu > nr_cpu_ids ) ++ if ( arg->cpu >= nr_cpu_ids ) + return -ENOENT; + if ( !cpu_online(arg->cpu) ) + return -ENOENT; +-- +1.8.5.2 +--- a/xen/xsm/flask/include/conditional.h ++++ b/xen/xsm/flask/include/conditional.h +@@ -13,7 +13,9 @@ + #ifndef _FLASK_CONDITIONAL_H_ + #define _FLASK_CONDITIONAL_H_ + +-int security_get_bools(int *len, char ***names, int **values); ++#include <xen/types.h> ++ ++int security_get_bools(int *len, char ***names, int **values, size_t *maxstr); + + int security_set_bools(int len, int *values); + +--- a/xen/xsm/flask/ss/services.c ++++ b/xen/xsm/flask/ss/services.c +@@ -1850,7 +1850,7 @@ int security_find_bool(const char *name) + return rv; + } + +-int security_get_bools(int *len, char ***names, int **values) ++int security_get_bools(int *len, char ***names, int **values, size_t *maxstr) + { + int i, rc = -ENOMEM; + +@@ -1858,6 +1858,8 @@ int security_get_bools(int *len, char ** + if ( names ) + *names = NULL; + *values = NULL; ++ if ( maxstr ) ++ *maxstr = 0; + + *len = policydb.p_bools.nprim; + if ( !*len ) +@@ -1879,16 +1881,17 @@ int security_get_bools(int *len, char ** + + for ( i = 0; i < *len; i++ ) + { +- size_t name_len; ++ size_t name_len = strlen(policydb.p_bool_val_to_name[i]); ++ + (*values)[i] = policydb.bool_val_to_struct[i]->state; + if ( names ) { +- name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; +- (*names)[i] = (char*)xmalloc_array(char, name_len); ++ (*names)[i] = xmalloc_array(char, name_len + 1); + if ( !(*names)[i] ) + goto err; +- strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); +- (*names)[i][name_len - 1] = 0; ++ strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len + 1); + } ++ if ( maxstr && name_len > *maxstr ) ++ *maxstr = name_len; + } + rc = 0; + out: +@@ -2006,7 +2009,7 @@ static int security_preserve_bools(struc + struct cond_bool_datum *booldatum; + struct cond_node *cur; + +- rc = security_get_bools(&nbools, &bnames, &bvalues); ++ rc = security_get_bools(&nbools, &bnames, &bvalues, NULL); + if ( rc ) + goto out; + for ( i = 0; i < nbools; i++ ) + diff --git a/app-emulation/xen/xen-4.2.2-r3.ebuild b/app-emulation/xen/xen-4.2.2-r4.ebuild index 4d59d8294604..592b34852b77 100644 --- a/app-emulation/xen/xen-4.2.2-r3.ebuild +++ b/app-emulation/xen/xen-4.2.2-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r3.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r4.ebuild,v 1.1 2014/02/07 08:21:21 idella4 Exp $ EAPI=5 @@ -48,8 +48,9 @@ XSA_PATCHES=( "${FILESDIR}"/${PN}-4.2-CVE-2013-4553-XSA-74.patch "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch - "${FILESDIR}"/${PN}-4-XSA-83.patch #bug #499054 - "${FILESDIR}"/${PN}-4.2-XSA-87.patch #bug #499124 + "${FILESDIR}"/${PN}-4-XSA-83.patch # bug #499054 + "${FILESDIR}"/${PN}-4.2-CVE-2014-263-XSA-84-85.patch # bug #500528 500536 + "${FILESDIR}"/${PN}-4.2-XSA-87.patch # bug #499124 ) pkg_setup() { diff --git a/app-emulation/xen/xen-4.3.1-r4.ebuild b/app-emulation/xen/xen-4.3.1-r5.ebuild index c3bae933263c..7ee3b79f1d07 100644 --- a/app-emulation/xen/xen-4.3.1-r4.ebuild +++ b/app-emulation/xen/xen-4.3.1-r5.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.1-r4.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.1-r5.ebuild,v 1.1 2014/02/07 08:21:21 idella4 Exp $ EAPI=5 @@ -49,8 +49,9 @@ XSA_PATCHES=( "${FILESDIR}"/${PN}-4.3-CVE-2013-4553-XSA-74.patch "${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch "${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch - "${FILESDIR}"/${PN}-4-XSA-83.patch #bug #499054 - "${FILESDIR}"/${PN}-4.3-XSA-87.patch #bug #499124 + "${FILESDIR}"/${PN}-4-XSA-83.patch # bug #499054 + "${FILESDIR}"/${PN}-4.3-CVE-2014-263-XSA-84-85.patch # bug #500528 500536 + "${FILESDIR}"/${PN}-4.3-XSA-87.patch # bug #499124 ) pkg_setup() { |