Bugzilla – Bug 935634
VUL-0: CVE-2015-3259: xen: XSA-137: xl command line config handling stack overflow
Last modified: 2020-06-15 01:23:41 UTC
Created attachment 638686 [details] xsa137.patch xsa137.patch attached to email
bugbot adjusting priority
Xen Security Advisory CVE-2015-3259 / XSA-137 version 3 xl command line config handling stack overflow UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS ================== Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl's command line, without restricting their length, are vulnerable. We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains. Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable. The vulnerability exists on x86 and ARM. The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases. IMPACT ====== A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host. MITIGATION ========== Limiting the length of untrusted configuration settings will avoid the vulnerability. (The total length of all command-line configuration settings, including some interposed newlines and trailing nul, must be less than 1024.) CREDITS ======= This issue was discovered by Donghai Zhu of Alibab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa137.patch Xen 4.2.x and later $ sha256sum xsa137*.patch 0272c443575c88b53445c89ef84f0cd98a03944d3303f06c66c33ef0037d97b9 xsa137.patch
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62217
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62220
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62221
This is an autogenerated message for OBS integration: This bug (935634) was mentioned in https://build.opensuse.org/request/show/318159 42 / xen
SUSE-SU-2015:1299-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 925466,935634,938344 CVE References: CVE-2015-3259,CVE-2015-5154 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.2_10-5.1
POTENTIAL REPRODUCER (untested): extra config variables need to exceed 1024 bytes. they can be specified on the commandline with foo=xxx something like this might work: xl create foo=`perl -e 'print "x" x 1000;'` bar=`perl -e 'print "x" x 1000;'` berk=`perl -e 'print "x" x 1000;'` perhaps add more strings.
SUSE-SU-2015:1302-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 925466,935256,935634,938344 CVE References: CVE-2015-3259,CVE-2015-5154 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_08-22.5.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_08-22.5.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_08-22.5.1
SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Server 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_12-15.1
SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1
released
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845 CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972 Sources used: openSUSE 13.2 (src): xen-4.4.3_02-30.1