tags 490409 + patch
thanks
Hi,
The following is the diff for my xen-3 3.2.1-2.1 NMU.
It incorporates three patches from upstream and aims to
fix CVE-2008-2004 aka #490409.
It is not yet tested much, I would appreciate if interested
parties could give it a try.
I'll upload in due course.
Kind regards
T.
diff -u xen-3-3.2.1/debian/control.md5sum xen-3-3.2.1/debian/control.md5sum
--- xen-3-3.2.1/debian/control.md5sum
+++ xen-3-3.2.1/debian/control.md5sum
@@ -1,4 +1,4 @@
-be13ec7962f9b42707fff1af663b9766 debian/changelog
+c61f3c049db247829b8fa175ee863eec debian/changelog
5794c483fe195bd0b01c2642b804ec36 debian/bin/gencontrol.py
04cbffed36f180cd58f699d955c7bba8 debian/templates/control.hypervisor.in
c684d3285ee42118924db501cb4137ea debian/templates/control.main.in
diff -u xen-3-3.2.1/debian/changelog xen-3-3.2.1/debian/changelog
--- xen-3-3.2.1/debian/changelog
+++ xen-3-3.2.1/debian/changelog
@@ -1,3 +1,12 @@
+xen-3 (3.2.1-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add three patches from upstream to fix disk format
+ vulnerability (CVE-2008-2004). Closes: #490409
+ * Update debian/rules.defs so source package builds.
+
+ -- Thomas Viehmann <[EMAIL PROTECTED]> Wed, 10 Sep 2008 23:42:00 +0200
+
xen-3 (3.2.1-2) unstable; urgency=low
* Use e2fslibs based ext2 support for pygrub. (closes: #476366)
diff -u xen-3-3.2.1/debian/patches/series xen-3-3.2.1/debian/patches/series
--- xen-3-3.2.1/debian/patches/series
+++ xen-3-3.2.1/debian/patches/series
@@ -18,0 +19,3 @@
+xen-3.2.CVE-2008-2004.1.hg80730d294e51.diff
+xen-3.2.CVE-2008-2004.2.hg5824167feb81.diff
+xen-3.2.CVE-2008-2004.3.hg0016f5a1dd5a.diff
only in patch2:
unchanged:
--- xen-3-3.2.1.orig/debian/patches/xen-3.2.CVE-2008-2004.1.hg80730d294e51.diff
+++ xen-3-3.2.1/debian/patches/xen-3.2.CVE-2008-2004.1.hg80730d294e51.diff
@@ -0,0 +1,128 @@
+
+# HG changeset patch
+# User Keir Fraser <[EMAIL PROTECTED]>
+# Date 1210688387 -3600
+# Node ID 80730d294e51e39a7f8f58708d1de2f735001392
+# Parent fd285b18158e8bc355ac036cf9d305d06bbfbce3
+ioemu: fix disk format security vulnerability
+
+* make the xenstore reader in qemu-dm's startup determine which
+ of qemu's block drivers to use according to the xenstore
+ backend `type' field. This `type' field typically comes from
+ the front of the drive mapping string in ioemu. The
+ supported cases are:
+ xm config file string `type' image format qemu driver
+ phy:[/dev/]<device> phy raw image bdrv_raw
+ file:<filename> file raw image bdrv_raw
+ tap:aio:<filename> tap raw image bdrv_raw
+ tap:qcow:<image> tap not raw autoprobe
+ tap:<cow-fmt>:<image> tap named format bdrv_<cow-fmt>
+ It is still necessary to autoprobe when the image is specified as
+ `tap:qcow:<image>', because qemu distinguishes `qcow' and `qcow2'
+ whereas blktap doesn't; `qcow' in xenstore typically means what
+ qemu calls qcow2. This is OK because qemu can safely distinguish
+ the different cow formats provided we know it's not a raw image.
+
+* Make the format autoprobing machinery never return `raw'. This has
+ two purposes: firstly, it arranges that the `tap:qcow:...' case
+ above can be handled without accidentally falling back to raw
+ format. Secondly it prevents accidents in case the code changes in
+ future: autoprobing will now always fail on supposed cow files which
+ actually contain junk, rather than giving the guest access to the
+ underlying file.
+
+Signed-off-by: Ian Jackson <[EMAIL PROTECTED]>
+xen-unstable changeset: 17606:e3be00bd6aa963aca563692c271af762f9380ba0
+xen-unstable date: Mon May 12 10:09:12 2008 +0100
+
+--- a/tools/ioemu/block.c Tue May 13 15:16:59 2008 +0100
++++ b/tools/ioemu/block.c Tue May 13 15:19:47 2008 +0100
+@@ -250,7 +250,7 @@ static BlockDriver *find_protocol(const
+ #endif
+ p = strchr(filename, ':');
+ if (!p)
+- return &bdrv_raw;
++ return NULL; /* do not ever guess raw, it is a security problem! */
+ len = p - filename;
+ if (len > sizeof(protocol) - 1)
+ len = sizeof(protocol) - 1;
+--- a/tools/ioemu/xenstore.c Tue May 13 15:16:59 2008 +0100
++++ b/tools/ioemu/xenstore.c Tue May 13 15:19:47 2008 +0100
+@@ -86,6 +86,7 @@ void xenstore_parse_domain_config(int do
+ int i, is_scsi, is_hdN = 0;
+ unsigned int len, num, hd_index;
+ BlockDriverState *bs;
++ BlockDriver *format;
+
+ for(i = 0; i < MAX_DISKS + MAX_SCSI_DISKS; i++)
+ media_filename[i] = NULL;
+@@ -131,6 +132,8 @@ void xenstore_parse_domain_config(int do
+ }
+
+ for (i = 0; i < num; i++) {
++ format = NULL; /* don't know what the format is yet */
++
+ /* read the backend path */
+ if (pasprintf(&buf, "%s/device/vbd/%s/backend", path, e[i]) == -1)
+ continue;
+@@ -177,13 +180,20 @@ void xenstore_parse_domain_config(int do
+ drv = xs_read(xsh, XBT_NULL, buf, &len);
+ if (drv == NULL)
+ continue;
+- /* Strip off blktap sub-type prefix aio: - QEMU can autodetect this */
++ /* Obtain blktap sub-type prefix */
+ if (!strcmp(drv, "tap") && params[0]) {
+ char *offset = strchr(params, ':');
+ if (!offset)
+ continue ;
++ free(drv);
++ drv = malloc(offset - params + 1);
++ memcpy(drv, params, offset - params);
++ drv[offset - params] = '\0';
++ if (!strcmp(drv, "aio"))
++ /* qemu does aio anyway if it can */
++ format = &bdrv_raw;
+ memmove(params, offset+1, strlen(offset+1)+1 );
+- fprintf(logfile, "Strip off blktap sub-type prefix to %s\n",
params);
++ fprintf(logfile, "Strip off blktap sub-type prefix to %s (drv
'%s')\n", params, drv);
+ }
+ /* Prefix with /dev/ if needed */
+ if (!strcmp(drv, "phy") && params[0] != '/') {
+@@ -191,6 +201,7 @@ void xenstore_parse_domain_config(int do
+ sprintf(newparams, "/dev/%s", params);
+ free(params);
+ params = newparams;
++ format = &bdrv_raw;
+ }
+
+ /*
+@@ -227,9 +238,25 @@ void xenstore_parse_domain_config(int do
+
+ /* open device now if media present */
+ if (params[0]) {
+- if (bdrv_open(bs, params, 0 /* snapshot */) < 0)
+- fprintf(stderr, "qemu: could not open hard disk image '%s'\n",
+- params);
++ if (!format) {
++ if (!drv) {
++ fprintf(stderr, "qemu: type (image format) not specified
for vbd '%s' or image '%s'\n", buf, params);
++ continue;
++ }
++ if (!strcmp(drv,"qcow")) {
++ /* autoguess qcow vs qcow2 */
++ } else if (!strcmp(drv,"file")) {
++ format = &bdrv_raw;
++ } else {
++ format = bdrv_find_format(drv);
++ if (!format) {
++ fprintf(stderr, "qemu: type (image format) '%s' unknown
for vbd '%s' or image '%s'\n", drv, buf, params);
++ continue;
++ }
++ }
++ }
++ if (bdrv_open2(bs, params, 0 /* snapshot */, format) < 0)
++ fprintf(stderr, "qemu: could not open vbd '%s' or hard disk
image '%s' (drv '%s')\n", buf, params, drv ? drv : "?");
+ }
+ }
+
+
only in patch2:
unchanged:
--- xen-3-3.2.1.orig/debian/patches/xen-3.2.CVE-2008-2004.3.hg0016f5a1dd5a.diff
+++ xen-3-3.2.1/debian/patches/xen-3.2.CVE-2008-2004.3.hg0016f5a1dd5a.diff
@@ -0,0 +1,110 @@
+
+# HG changeset patch
+# User Keir Fraser <[EMAIL PROTECTED]>
+# Date 1210860689 -3600
+# Node ID 0016f5a1dd5a1622bcc66b82d2ef9bf4d36e88e3
+# Parent aee5dc4a4a37005994c9ea7e9eab73043f30cb2c
+ioemu: Do not try to guess backing file format when using qcow vbds.
+Signed-off-by: Ian Jackson <[EMAIL PROTECTED]>
+xen-unstable changeset: 17646:e3b13e1ecf6ca61b84c8bdf5ae3e961268c920f5
+xen-unstable date: Thu May 15 15:10:05 2008 +0100
+
+--- a/tools/ioemu/block.c Thu May 15 09:59:19 2008 +0100
++++ b/tools/ioemu/block.c Thu May 15 15:11:29 2008 +0100
+@@ -236,8 +236,28 @@ static int is_windows_drive(const char *
+ }
+ #endif
+
++static int bdrv_invalid_protocol_open(BlockDriverState *bs,
++ const char *filename, int flags) {
++ return -ENOENT;
++}
++
++static BlockDriver bdrv_invalid_protocol = {
++ "invalid_protocol",
++ .bdrv_open = bdrv_invalid_protocol_open,
++};
++
+ static BlockDriver *find_protocol(const char *filename)
+ {
++ /* Return values:
++ * &bdrv_xxx
++ * filename specifies protocol xxx
++ * caller should use that
++ * NULL filename does not specify any protocol
++ * caller may apply their own default
++ * &bdrv_invalid_protocol filename speciies an unknown protocol
++ * caller should return -ENOENT; or may just try to open with
++ * that bdrv, which always fails that way.
++ */
+ BlockDriver *drv1;
+ char protocol[128];
+ int len;
+@@ -250,7 +270,7 @@ static BlockDriver *find_protocol(const
+ #endif
+ p = strchr(filename, ':');
+ if (!p)
+- return NULL; /* do not ever guess raw, it is a security problem! */
++ return NULL;
+ len = p - filename;
+ if (len > sizeof(protocol) - 1)
+ len = sizeof(protocol) - 1;
+@@ -261,7 +281,7 @@ static BlockDriver *find_protocol(const
+ !strcmp(drv1->protocol_name, protocol))
+ return drv1;
+ }
+- return NULL;
++ return &bdrv_invalid_protocol;
+ }
+
+ /* XXX: force raw format if block or character device ? It would
+@@ -291,8 +311,8 @@ static BlockDriver *find_image_format(co
+ #endif
+
+ drv = find_protocol(filename);
+- /* no need to test disk image formats for vvfat */
+- if (drv == &bdrv_vvfat)
++ /* no need to test disk image format if the filename told us */
++ if (drv != NULL)
+ return drv;
+
+ ret = bdrv_file_open(&bs, filename, BDRV_O_RDONLY);
+@@ -386,7 +406,7 @@ int bdrv_open2(BlockDriverState *bs, con
+ if (flags & BDRV_O_FILE) {
+ drv = find_protocol(filename);
+ if (!drv)
+- return -ENOENT;
++ drv = &bdrv_raw;
+ } else {
+ if (!drv) {
+ drv = find_image_format(filename);
+@@ -434,7 +454,7 @@ int bdrv_open2(BlockDriverState *bs, con
+ }
+ path_combine(backing_filename, sizeof(backing_filename),
+ filename, bs->backing_file);
+- if (bdrv_open(bs->backing_hd, backing_filename, 0) < 0)
++ if (bdrv_open2(bs->backing_hd, backing_filename, 0, &bdrv_raw) < 0)
+ goto fail;
+ }
+
+--- a/tools/ioemu/xenstore.c Thu May 15 09:59:19 2008 +0100
++++ b/tools/ioemu/xenstore.c Thu May 15 15:11:29 2008 +0100
+@@ -247,6 +247,8 @@ void xenstore_parse_domain_config(int do
+ /* autoguess qcow vs qcow2 */
+ } else if (!strcmp(drv,"file") || !strcmp(drv,"phy")) {
+ format = &bdrv_raw;
++ } else if (!strcmp(drv,"phy")) {
++ format = &bdrv_raw;
+ } else {
+ format = bdrv_find_format(drv);
+ if (!format) {
+@@ -256,7 +258,7 @@ void xenstore_parse_domain_config(int do
+ }
+ }
+ if (bdrv_open2(bs, params, 0 /* snapshot */, format) < 0)
+- fprintf(stderr, "qemu: could not open vbd '%s' or hard disk
image '%s' (drv '%s')\n", buf, params, drv ? drv : "?");
++ fprintf(stderr, "qemu: could not open vbd '%s' or hard disk
image '%s' (drv '%s' format '%s')\n", buf, params, drv ? drv : "?", format ?
format->format_name : "0");
+ }
+ }
+
+
only in patch2:
unchanged:
--- xen-3-3.2.1.orig/debian/patches/xen-3.2.CVE-2008-2004.2.hg5824167feb81.diff
+++ xen-3-3.2.1/debian/patches/xen-3.2.CVE-2008-2004.2.hg5824167feb81.diff
@@ -0,0 +1,16 @@
+
+--- a/tools/ioemu/xenstore.c Tue May 13 15:19:47 2008 +0100
++++ b/tools/ioemu/xenstore.c Wed May 14 09:12:27 2008 +0100
+@@ -245,7 +245,7 @@ void xenstore_parse_domain_config(int do
+ }
+ if (!strcmp(drv,"qcow")) {
+ /* autoguess qcow vs qcow2 */
+- } else if (!strcmp(drv,"file")) {
++ } else if (!strcmp(drv,"file") || !strcmp(drv,"phy")) {
+ format = &bdrv_raw;
+ } else {
+ format = bdrv_find_format(drv);
+
+
+
+
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
