Xen devel - May 2007 - [PATCH] Fix CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366

Hi;

If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320, 
CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which affects 
qemu and also seems valid for xen.

Cheers
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 1/5/07 14:29, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
> CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which
affects
> qemu and also seems valid for xen.
Is the patch from upstream qemu? We have our own patches to fix these issues
in 3.0.5-rc, but we''d consider an alternative that keeps us closer to
upstream qemu (albeit a later qemu than we build against).

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 14:29, "S.Çağlar Onur" <caglar@pardus.org.tr>
wrote:
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> Is the patch from upstream qemu? We have our own patches to fix these
> issues in 3.0.5-rc, but we''d consider an alternative that keeps us
closer
> to upstream qemu (albeit a later qemu than we build against).
I''m not sure these go into upstream or not but our security team
grabbed this
from Debian [1].

P.S: while i get your attention :) is it possible to push both 3.0.4 and 3.0.5 
CVEish patches into trees, we have 15 pending patch in our package which 
submitted to list and xen-bugzilla long before?

[1] 
http://security.debian.org/pool/updates/main/q/qemu/qemu_0.8.2-4etch1.diff.gz
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 1/5/07 15:15, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> P.S: while i get your attention :) is it possible to push both 3.0.4 and
3.0.5
> CVEish patches into trees, we have 15 pending patch in our package which
> submitted to list and xen-bugzilla long before?
I don''t believe I have any outstanding patches for 3.0.5. Please send
any
that you think are critical. There''s no plan to do a 3.0.4-2 in the
immediate future.

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr>
wrote:
> Hi;
>
> If anybody interested, attached patch (against 3.0.4) fixes CVE-2007-1320,
> CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and CVE-2007-1366 which
affects
> qemu and also seems valid for xen.
I've seen this patch before and I picked the most relevant fixes,
cleaned them up and checked them in a while ago.  I left out the ones
which touch code we don't compile and the ones which touch code we
don't enable by default.  If somebody else cleans up those, it would
be great to get them checked in.

We have the first check to bdrv_write in block.c and we have the same
check in bdrv_read -- we don't have that unsigned int ns < 0 check.

We have a fix for the cirrus bitblit issue -- I think the fix in the
patch you post actually doesn't cover all cases.

We have the hw/dma.c null pointer check.

We don't have the hw/fdc.c null pointer check.  We should probably add that
one.

We don't have the hw/i8259.c change since we don't use that file.

We don't have the hw/ne2000.c change since we use the rtl8139 driver
by default -- could add that one.

We don't have the hw/pc.c change since exit'ing seems safer.

We don't have the hw/sb16.c change since we don't have sound by
default -- we should probably add that one.

We don't have the target-i386/translate.c changes since we don't use
that file.

We don't have the vl.c changes since we only use the network tap mode.

    christian

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 15:15, "S.Çağlar Onur" <caglar@pardus.org.tr>
wrote:
> > P.S: while i get your attention :) is it possible to push both 3.0.4
and
> > 3.0.5 CVEish patches into trees, we have 15 pending patch in our
package
> > which submitted to list and xen-bugzilla long before?
>
> I don''t believe I have any outstanding patches for 3.0.5. Please
send any
> that you think are critical. There''s no plan to do a 3.0.4-2 in
the
> immediate future.
Hmm i think there are some :)

I have following patches on top of current 3.0.5-testing tree, this series 
contains all released CVE''s from 2.6.18 to up until now
(linus''s current
git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...

[caglar@zangetsu][~/buildbox/xen/linux-2.6.18/patches]> quilt series
linux-2.6-xen.patch <-- "make mkpatches" of current tree
CVE-2005-4352.patch
CVE-2006-4814.patch
CVE-2006-5619.patch
CVE-2006-5749.patch
CVE-2006-5751.patch
CVE-2006-5753.patch
CVE-2006-5757-CVE-2006-6060.patch
CVE-2006-5823.patch
CVE-2006-6053.patch
CVE-2006-6054.patch
CVE-2006-6056.patch
CVE-2006-6106.patch
CVE-2006-6333.patch
CVE-2007-0005.patch
CVE-2007-0006.patch
CVE-2007-0772.patch
CVE-2007-0958.patch
CVE-2007-1000.patch
CVE-2007-1217.patch
CVE-2007-1388.patch
CVE-2007-1497.patch
CVE-2007-1592.patch
CVE-2007-1861.patch
CVE-2007-2172.patch

Instead of submitting all these patches to mailing list i just upload to [1]

[1] http://cekirdek.pardus.org.tr/~caglar/patches/

Cheers
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

01 May 2007 Sal tarihinde, Christian Limpach şunları yazmıştı:
> On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr> wrote:
> > Hi;
> >
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> I''ve seen this patch before and I picked the most relevant fixes,
> cleaned them up and checked them in a while ago.  I left out the ones
> which touch code we don''t compile and the ones which touch code we
> don''t enable by default.  If somebody else cleans up those, it
would
> be great to get them checked in.
Great, is it possible to also inform the list for these kind of updates in 
future? 

Cheers
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 1/5/07 19:56, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> Hmm i think there are some :)
> 
> I have following patches on top of current 3.0.5-testing tree, this series
> contains all released CVE''s from 2.6.18 to up until now
(linus''s current
> git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...
Presumably we''d get most of these by upgrading to linux-2.6.18.8?

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

01 May 2007 Sal tarihinde, Keir Fraser şunları yazmıştı:
> On 1/5/07 19:56, "S.Çağlar Onur" <caglar@pardus.org.tr>
wrote:
> > Hmm i think there are some :)
> >
> > I have following patches on top of current 3.0.5-testing tree, this
> > series contains all released CVE''s from 2.6.18 to up until
now (linus''s
> > current git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is
> > missing...
>
> Presumably we''d get most of these by upgrading to linux-2.6.18.8?
8 of them are in 2.6.18.8 others are backported/applied etc,

CVE-2005-4352.patch <- solved with 2.6.18.3
CVE-2006-4814.patch <- solved with 2.6.18.8 
CVE-2006-5619.patch <- solved with 2.6.18.2
CVE-2006-5749.patch <- solved with 2.6.20-rc2
CVE-2006-5751.patch <- solved with 2.6.18.4
CVE-2006-5753.patch <- solved with 2.6.20-rc4
CVE-2006-5757-CVE-2006-6060.patch <- solved in 2.6.18.8
CVE-2006-5823.patch <- solved with 2.6.20-rc1
CVE-2006-6053.patch <- solved with 2.6.20-rc1
CVE-2006-6054.patch <- solved with 2.6.20-rc1
CVE-2006-6056.patch <- solved with 2.6.18.8 
CVE-2006-6106.patch <- solved with 2.6.18.6
CVE-2006-6333.patch <- solved with 2.6.20
CVE-2007-0005.patch <- solved with 2.6.21-rc3
CVE-2007-0006.patch <- solved with 2.6.21
CVE-2007-0772.patch <- solved with 2.6.18.7
CVE-2007-0958.patch <- solved with 2.6.20-rc7
CVE-2007-1000.patch <- solved with 2.6.21
CVE-2007-1217.patch <- solved with 2.6.20.1
CVE-2007-1388.patch <- solved with 2.6.21
CVE-2007-1497.patch <- solved with 2.6.21
CVE-2007-1592.patch <- solved with 2.6.21
CVE-2007-1861.patch <- solved with 2.6.21.1
CVE-2007-2172.patch <- solved with 2.6.20.6

Cheers
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

01 May 2007 Sal tarihinde, S.Çağlar Onur şunları yazmıştı:
> I have following patches on top of current 3.0.5-testing tree, this series
> contains all released CVE''s from 2.6.18 to up until now
(linus''s current
> git), only CVE-2007-2242 ( IPV6: Disallow RH0 by default.) is missing...
Just added CVE-2007-2242.patch and also full-tarball [1] in case of anybody 
wants to review/use etc.

[1] http://cekirdek.pardus.org.tr/~caglar/patches/patches.tar.gz
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Tuesday, 1. May 2007, Christian Limpach wrote:
> On 5/1/07, S.Çağlar Onur <caglar@pardus.org.tr> wrote:
> > Hi;
> >
> > If anybody interested, attached patch (against 3.0.4) fixes
> > CVE-2007-1320, CVE-2007-1321 , CVE-2007-1322, CVE-2007-1323 and
> > CVE-2007-1366 which affects qemu and also seems valid for xen.
>
> I''ve seen this patch before and I picked the most relevant fixes,
> cleaned them up and checked them in a while ago.  I left out the ones
> which touch code we don''t compile and the ones which touch code we
> don''t enable by default.  If somebody else cleans up those, it
would
> be great to get them checked in.
>
> We have the first check to bdrv_write in block.c and we have the same
> check in bdrv_read -- we don''t have that unsigned int ns < 0
check.
>
> We have a fix for the cirrus bitblit issue -- I think the fix in the
> patch you post actually doesn''t cover all cases.
>
> We have the hw/dma.c null pointer check.
>
> We don''t have the hw/fdc.c null pointer check.  We should probably
> add that one.
>
> We don''t have the hw/i8259.c change since we don''t use
that file.
>
> We don''t have the hw/ne2000.c change since we use the rtl8139
driver
> by default -- could add that one.
>
> We don''t have the hw/pc.c change since exit''ing seems
safer.
>
> We don''t have the hw/sb16.c change since we don''t have
sound by
> default -- we should probably add that one.
>
> We don''t have the target-i386/translate.c changes since we
don''t use
> that file.
>
> We don''t have the vl.c changes since we only use the network tap
> mode.
How much cleaning would the remaining fixes need? I''ve re-attached the 
patch proposed by S.Çağlar Onur, with those issues fixed in 3.1.0 
removed and only including those you marked "should/could add".

Regards,
Robert



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel