Debian Bug report logs - #688125
CVE-2012-2625 / CVE-2012-4544

version graph

Package: xen; Maintainer for xen is Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 19 Sep 2012 15:39:07 UTC

Severity: important

Tags: security

Fixed in version 4.1.3-4

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#688125; Package xen. (Wed, 19 Sep 2012 15:39:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Wed, 19 Sep 2012 15:39:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:33:41 +0200
Package: xen
Severity: important
Tags: security
Justification: user security hole

Hi,
This issue is still unfixed in Wheezy:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625

Patch:
http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe

Cheers,
        Moritz



Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Wed, 19 Sep 2012 15:51:07 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 19 Sep 2012 15:51:07 GMT) Full text and rfc822 format available.

Message #10 received at 688125-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 688125-done@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#688125: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:47:51 +0200
On Wed, Sep 19, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote:
> This issue is still unfixed in Wheezy:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625
> http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe

Two different problems. No known patch for the first one.

Bastian

-- 
Peace was the way.
		-- Kirk, "The City on the Edge of Forever", stardate unknown



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#688125; Package xen. (Fri, 21 Sep 2012 08:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ian Campbell <ijc@hellion.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Fri, 21 Sep 2012 08:45:03 GMT) Full text and rfc822 format available.

Message #15 received at 688125@bugs.debian.org (full text, mbox):

From: Ian Campbell <ijc@hellion.org.uk>
To: 688125@bugs.debian.org
Cc: Bastian Blank <waldi@debian.org>
Subject: Re: [Pkg-xen-devel] Bug#688125: marked as done (xen: CVE-2012-2625)
Date: Fri, 21 Sep 2012 09:40:27 +0100
On Wed, 2012-09-19 at 15:51 +0000, Debian Bug Tracking System wrote:
> > On Wed, Sep 19, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote:
> > > This issue is still unfixed in Wheezy:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625
> > > http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe
> > 
> > Two different problems. No known patch for the first one.

Wrong. 

60f09d1ab1fe is the fix for precisely the issue described in
CVE-2012-2625.

If you think there is another issue then please tell us about it (on
security@xen.org if you prefer).

Ian.

-- 
Ian Campbell
Current Noise: Bastard Priest - Evil Pain

Give me a sleeping pill and tell me your troubles.




Bug reopened Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Fri, 21 Sep 2012 09:30:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#688125; Package xen. (Fri, 21 Sep 2012 12:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Fri, 21 Sep 2012 12:24:05 GMT) Full text and rfc822 format available.

Message #22 received at 688125@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Ian Campbell <ijc@hellion.org.uk>, 688125@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#688125: Bug#688125: marked as done (xen: CVE-2012-2625)
Date: Fri, 21 Sep 2012 14:23:13 +0200
On Fri, Sep 21, 2012 at 09:40:27AM +0100, Ian Campbell wrote:
> On Wed, 2012-09-19 at 15:51 +0000, Debian Bug Tracking System wrote:
> > > On Wed, Sep 19, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote:
> > > > This issue is still unfixed in Wheezy:
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625
> > > > http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe
> > > Two different problems. No known patch for the first one.
> 60f09d1ab1fe is the fix for precisely the issue described in
> CVE-2012-2625.

The referenced bug marked with CVE-2012-2625 speaks about the pv loader
for bzip2 and lzma kernels. This loader is implemented in libxenctrl and
the hypervisor for dom0. I see no mitigation in this code against large
decompressed files. Plus there is an integer overflow.

60f09d1ab1fe fixes reading too large files from guest filesystems using
pygrub.

Bastian

-- 
But Captain -- the engines can't take this much longer!



Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Sun, 07 Oct 2012 16:09:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 07 Oct 2012 16:09:06 GMT) Full text and rfc822 format available.

Message #27 received at 688125-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Ian Campbell <ijc@hellion.org.uk>, 688125-done@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#688125: Bug#688125: Bug#688125: marked as done (xen: CVE-2012-2625)
Date: Sun, 7 Oct 2012 18:07:31 +0200
On Fri, Sep 21, 2012 at 02:23:13PM +0200, Bastian Blank wrote:
> The referenced bug marked with CVE-2012-2625 speaks about the pv loader
> for bzip2 and lzma kernels. This loader is implemented in libxenctrl and
> the hypervisor for dom0. I see no mitigation in this code against large
> decompressed files. Plus there is an integer overflow.
> 
> 60f09d1ab1fe fixes reading too large files from guest filesystems using
> pygrub.

I received no further information. Please reopen _after_ you figured
out, which one this is and this information got published in the CVE
list.

Bastian

-- 
Worlds are conquered, galaxies destroyed -- but a woman is always a woman.
		-- Kirk, "The Conscience of the King", stardate 2818.9



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#688125; Package xen. (Mon, 29 Oct 2012 08:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Mon, 29 Oct 2012 08:45:05 GMT) Full text and rfc822 format available.

Message #32 received at 688125@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Bastian Blank <waldi@debian.org>
Cc: Ian Campbell <ijc@hellion.org.uk>, 688125@bugs.debian.org, control@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#688125: Bug#688125: Bug#688125: marked as done (xen: CVE-2012-2625)
Date: Mon, 29 Oct 2012 09:38:18 +0100
reopen 688125
retitle 688125 CVE-2012-2625 / CVE-2012-4544
thanks

On Sun, Oct 07, 2012 at 06:07:31PM +0200, Bastian Blank wrote:
> On Fri, Sep 21, 2012 at 02:23:13PM +0200, Bastian Blank wrote:
> > The referenced bug marked with CVE-2012-2625 speaks about the pv loader
> > for bzip2 and lzma kernels. This loader is implemented in libxenctrl and
> > the hypervisor for dom0. I see no mitigation in this code against large
> > decompressed files. Plus there is an integer overflow.
> > 
> > 60f09d1ab1fe fixes reading too large files from guest filesystems using
> > pygrub.
> 
> I received no further information. Please reopen _after_ you figured
> out, which one this is and this information got published in the CVE
> list.

Please see http://lists.xen.org/archives/html/xen-devel/2012-10/msg02015.html
for clarification

Cheers,
        Moritz



Bug reopened Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Mon, 29 Oct 2012 08:45:07 GMT) Full text and rfc822 format available.

Changed Bug title to 'CVE-2012-2625 / CVE-2012-4544' from 'xen: CVE-2012-2625' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Mon, 29 Oct 2012 08:45:07 GMT) Full text and rfc822 format available.

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Thu, 31 Jan 2013 14:18:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 31 Jan 2013 14:18:06 GMT) Full text and rfc822 format available.

Message #41 received at 688125-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 688125-done@bugs.debian.org
Subject: fixed
Date: Thu, 31 Jan 2013 15:14:50 +0100
Version: 4.1.3-4
-- 
Killing is stupid; useless!
		-- McCoy, "A Private Little War", stardate 4211.8



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Mar 2013 07:26:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:19:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.