Bug 935634 - (CVE-2015-3259) VUL-0: CVE-2015-3259: xen: XSA-137: xl command line config handling stack overflow
(CVE-2015-3259)
VUL-0: CVE-2015-3259: xen: XSA-137: xl command line config handling stack ove...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2015-3259:4.1:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-22 15:52 UTC by Marcus Meissner
Modified: 2020-06-15 01:23 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2015-06-22 15:53:30 UTC
Created attachment 638686 [details]
xsa137.patch

xsa137.patch attached to email
Comment 2 Swamp Workflow Management 2015-06-22 22:00:55 UTC
bugbot adjusting priority
Comment 3 Johannes Segitz 2015-07-07 12:32:57 UTC
            Xen Security Advisory CVE-2015-3259 / XSA-137
                              version 3

             xl command line config handling stack overflow

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The xl command line utility mishandles long configuration values when
passed as command line arguments, with a buffer overrun.

VULNERABLE SYSTEMS
==================

Systems built on top of xl which pass laundered or checked (but
otherwise untrusted) configuration values onto xl's command line,
without restricting their length, are vulnerable.

We are not presently aware of any publicly distributed production
software which exposes the xl vulnerability.  However it is
sufficiently simple to create such an arrangement that it might be
done locally in an attempt to grant partial management access to
particular domains.

Systems using the libxl library directly, without using xl, are not
vulnerable.  Systems using toolstacks other than xl are not
vulnerable.  Systems where only fully trusted input is ever presented
to the xl command line are not vulnerable.

The vulnerability exists on x86 and ARM.

The vulnerability was introduced in Xen 4.1 and affects all subsequent
Xen releases.

IMPACT
======

A semi-trusted guest administrator or controller, who is intended to
be able to partially control the configuration settings for a domain,
can escalate their privileges to that of the whole host.

MITIGATION
==========

Limiting the length of untrusted configuration settings will avoid the
vulnerability.  (The total length of all command-line configuration
settings, including some interposed newlines and trailing nul, must be
less than 1024.)

CREDITS
=======

This issue was discovered by Donghai Zhu of Alibab.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa137.patch        Xen 4.2.x and later

$ sha256sum xsa137*.patch
0272c443575c88b53445c89ef84f0cd98a03944d3303f06c66c33ef0037d97b9  xsa137.patch
Comment 7 Swamp Workflow Management 2015-07-16 12:19:59 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62217
Comment 8 Swamp Workflow Management 2015-07-16 12:31:17 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62220
Comment 9 Swamp Workflow Management 2015-07-16 12:32:45 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62221
Comment 10 Bernhard Wiedemann 2015-07-23 12:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (935634) was mentioned in
https://build.opensuse.org/request/show/318159 42 / xen
Comment 11 Swamp Workflow Management 2015-07-27 17:08:15 UTC
SUSE-SU-2015:1299-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 925466,935634,938344
CVE References: CVE-2015-3259,CVE-2015-5154
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.2_10-5.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.2_10-5.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.2_10-5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.2_10-5.1
Comment 13 Marcus Meissner 2015-07-28 07:50:06 UTC
POTENTIAL REPRODUCER (untested):

extra config variables need to exceed 1024 bytes. they can be specified on the commandline with foo=xxx 



something like this might work:

xl create foo=`perl -e 'print "x" x 1000;'` bar=`perl -e 'print "x" x 1000;'` berk=`perl -e 'print "x" x 1000;'`  

perhaps add more strings.
Comment 14 Swamp Workflow Management 2015-07-28 09:09:03 UTC
SUSE-SU-2015:1302-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 925466,935256,935634,938344
CVE References: CVE-2015-3259,CVE-2015-5154
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_08-22.5.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_08-22.5.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_08-22.5.1
Comment 15 Swamp Workflow Management 2015-09-02 16:10:23 UTC
SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_12-15.1
Comment 16 Swamp Workflow Management 2015-09-02 17:10:06 UTC
SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,932996,935634,938344,939709,939712
CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166
Sources used:
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_12-15.1
Comment 17 Marcus Meissner 2015-09-03 06:34:11 UTC
released
Comment 18 Swamp Workflow Management 2015-11-17 10:13:15 UTC
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1