diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2013-11-22 12:32:12 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2013-11-22 12:32:12 +0000 |
| commit | e3286f47a571b4d2dc7aea57e54aaf9a3b019a11 (patch) | |
| tree | 62df762a714cb67414603187009979ab0ddd4adc /app-emulation | |
| parent | Version bump. (diff) | |
| download | gentoo-2-e3286f47a571b4d2dc7aea57e54aaf9a3b019a11.tar.gz gentoo-2-e3286f47a571b4d2dc7aea57e54aaf9a3b019a11.tar.bz2 gentoo-2-e3286f47a571b4d2dc7aea57e54aaf9a3b019a11.zip | |
Adding more security patches to 4.3.0 from Bug #486354, drop old
(Portage version: 2.2.0/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/xen/ChangeLog | 10 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-4.3-CVE-2013-6375-XSA-75.patch | 56 | ||||
| -rw-r--r-- | app-emulation/xen/files/xen-CVE-2013-6375-XSA-78.patch | 23 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.0-r1.ebuild | 135 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.0-r3.ebuild (renamed from app-emulation/xen/xen-4.3.0-r2.ebuild) | 6 | ||||
| -rw-r--r-- | app-emulation/xen/xen-4.3.0.ebuild | 131 |
6 files changed, 92 insertions, 269 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index 343cb3b8b539..7be8a3a5aa97 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.131 2013/11/06 06:45:18 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.132 2013/11/22 12:32:12 idella4 Exp $ + +*xen-4.3.0-r3 (22 Nov 2013) + + 22 Nov 2013; Ian Delaney <idella4@gentoo.org> + +files/xen-4.3-CVE-2013-6375-XSA-75.patch, + +files/xen-CVE-2013-6375-XSA-78.patch, +xen-4.3.0-r3.ebuild, + -xen-4.3.0-r1.ebuild, -xen-4.3.0-r2.ebuild, -xen-4.3.0.ebuild: + Adding more security patches to 4.3.0 from Bug #486354, drop old *xen-4.3.0-r2 (06 Nov 2013) diff --git a/app-emulation/xen/files/xen-4.3-CVE-2013-6375-XSA-75.patch b/app-emulation/xen/files/xen-4.3-CVE-2013-6375-XSA-75.patch new file mode 100644 index 000000000000..5db50cf53f3e --- /dev/null +++ b/app-emulation/xen/files/xen-4.3-CVE-2013-6375-XSA-75.patch @@ -0,0 +1,56 @@ +nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing + +Otherwise uninitialized data may be used, leading to crashes. + +This is XSA-75. + +Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com> + +--- a/xen/arch/x86/hvm/vmx/vvmx.c ++++ b/xen/arch/x86/hvm/vmx/vvmx.c +@@ -1509,15 +1509,10 @@ static void clear_vvmcs_launched(struct + } + } + +-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) ++static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs) + { + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); +- int rc; +- +- rc = vmx_inst_check_privilege(regs, 0); +- if ( rc != X86EMUL_OKAY ) +- return rc; + + /* check VMCS is valid and IO BITMAP is set */ + if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) && +@@ -1536,6 +1531,10 @@ int nvmx_handle_vmresume(struct cpu_user + struct vcpu *v = current; + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); ++ int rc = vmx_inst_check_privilege(regs, 0); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; + + if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) + { +@@ -1555,10 +1554,13 @@ int nvmx_handle_vmresume(struct cpu_user + int nvmx_handle_vmlaunch(struct cpu_user_regs *regs) + { + bool_t launched; +- int rc; + struct vcpu *v = current; + struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); + struct nestedvmx *nvmx = &vcpu_2_nvmx(v); ++ int rc = vmx_inst_check_privilege(regs, 0); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; + + if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR ) + { + diff --git a/app-emulation/xen/files/xen-CVE-2013-6375-XSA-78.patch b/app-emulation/xen/files/xen-CVE-2013-6375-XSA-78.patch new file mode 100644 index 000000000000..5a8c1330ac3d --- /dev/null +++ b/app-emulation/xen/files/xen-CVE-2013-6375-XSA-78.patch @@ -0,0 +1,23 @@ +http://seclists.org/oss-sec/2013/q4/att-322/xsa78.patch +VT-d: fix TLB flushing in dma_pte_clear_one() + +The third parameter of __intel_iommu_iotlb_flush() is to indicate +whether the to be flushed entry was a present one. A few lines before, +we bailed if !dma_pte_present(*pte), so there's no need to check the +flag here again - we can simply always pass TRUE here. + +This is XSA-78. + +Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg> +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/drivers/passthrough/vtd/iommu.c ++++ b/xen/drivers/passthrough/vtd/iommu.c +@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom + iommu_flush_cache_entry(pte, sizeof(struct dma_pte)); + + if ( !this_cpu(iommu_dont_flush_iotlb) ) +- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1); ++ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1); + + unmap_vtd_domain_page(page); diff --git a/app-emulation/xen/xen-4.3.0-r1.ebuild b/app-emulation/xen/xen-4.3.0-r1.ebuild deleted file mode 100644 index eb5038496f3e..000000000000 --- a/app-emulation/xen/xen-4.3.0-r1.ebuild +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0-r1.ebuild,v 1.1 2013/10/02 17:22:28 idella4 Exp $ - -EAPI=5 - -PYTHON_COMPAT=( python2_7 ) - -if [[ $PV == *9999 ]]; then - KEYWORDS="" - REPO="xen-unstable.hg" - EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" - S="${WORKDIR}/${REPO}" - live_eclass="mercurial" -else - KEYWORDS="~amd64 ~x86" - SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" -fi - -inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} - -DESCRIPTION="The Xen virtual machine monitor" -HOMEPAGE="http://xen.org/" -LICENSE="GPL-2" -SLOT="0" -IUSE="custom-cflags debug efi flask pae xsm" - -DEPEND="${PYTHON_DEPS} - efi? ( >=sys-devel/binutils-2.22[multitarget] ) - !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" -RDEPEND="" -PDEPEND="~app-emulation/xen-tools-${PV}" - -RESTRICT="test" - -# Approved by QA team in bug #144032 -QA_WX_LOAD="boot/xen-syms-${PV}" - -REQUIRED_USE="flask? ( xsm )" - -pkg_setup() { - python-any-r1_pkg_setup - if [[ -z ${XEN_TARGET_ARCH} ]]; then - if use x86 && use amd64; then - die "Confusion! Both x86 and amd64 are set in your use flags!" - elif use x86; then - export XEN_TARGET_ARCH="x86_32" - elif use amd64; then - export XEN_TARGET_ARCH="x86_64" - else - die "Unsupported architecture!" - fi - fi - - if use flask ; then - export "XSM_ENABLE=y" - export "FLASK_ENABLE=y" - elif use xsm ; then - export "XSM_ENABLE=y" - fi -} - -src_prepare() { - # Drop .config and fix gcc-4.6 - epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch - - if use efi; then - epatch "${FILESDIR}"/${PN}-4.2-efi.patch - export EFI_VENDOR="gentoo" - export EFI_MOUNTPOINT="boot" - fi - - # if the user *really* wants to use their own custom-cflags, let them - if use custom-cflags; then - einfo "User wants their own CFLAGS - removing defaults" - # try and remove all the default custom-cflags - find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ - -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ - -i {} \; || die "failed to re-set custom-cflags" - fi - - # not strictly necessary to fix this - sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" - - #Security patches - epatch "${FILESDIR}"/${PN}-CVE-2013-1442-XSA-62.patch \ - "${FILESDIR}"/${PN}-CVE-2013-4355-XSA-63.patch \ - "${FILESDIR}"/${PN}-CVE-2013-4356-XSA-64.patch \ - "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch - - epatch_user -} - -src_configure() { - use debug && myopt="${myopt} debug=y" - use pae && myopt="${myopt} pae=y" - - if use custom-cflags; then - filter-flags -fPIE -fstack-protector - replace-flags -O3 -O2 - else - unset CFLAGS - fi -} - -src_compile() { - # Send raw LDFLAGS so that --as-needed works - emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} -} - -src_install() { - local myopt - use debug && myopt="${myopt} debug=y" - use pae && myopt="${myopt} pae=y" - - # The 'make install' doesn't 'mkdir -p' the subdirs - if use efi; then - mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die - fi - - emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install -} - -pkg_postinst() { - elog "Official Xen Guide and the unoffical wiki page:" - elog " http://www.gentoo.org/doc/en/xen-guide.xml" - elog " http://en.gentoo-wiki.com/wiki/Xen/" - - use pae && ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" - use efi && einfo "The efi executable is installed in boot/efi/gentoo" -} diff --git a/app-emulation/xen/xen-4.3.0-r2.ebuild b/app-emulation/xen/xen-4.3.0-r3.ebuild index 0eebe254b236..5667e184f874 100644 --- a/app-emulation/xen/xen-4.3.0-r2.ebuild +++ b/app-emulation/xen/xen-4.3.0-r3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0-r2.ebuild,v 1.1 2013/11/06 06:45:18 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0-r3.ebuild,v 1.1 2013/11/22 12:32:12 idella4 Exp $ EAPI=5 @@ -93,7 +93,9 @@ src_prepare() { "${FILESDIR}"/${PN}-CVE-2013-4361-XSA-66.patch \ "${FILESDIR}"/${PN}-CVE-2013-4368-XSA-67.patch \ "${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch \ - "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch + "${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch \ + "${FILESDIR}"/${PN}-4.3-CVE-2013-6375-XSA-75.patch \ + "${FILESDIR}"/${PN}-CVE-2013-6375-XSA-78.patch epatch_user } diff --git a/app-emulation/xen/xen-4.3.0.ebuild b/app-emulation/xen/xen-4.3.0.ebuild deleted file mode 100644 index 674c6b46088b..000000000000 --- a/app-emulation/xen/xen-4.3.0.ebuild +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.0.ebuild,v 1.2 2013/07/28 09:13:36 jcallen Exp $ - -EAPI=5 - -PYTHON_COMPAT=( python2_7 ) - -if [[ $PV == *9999 ]]; then - KEYWORDS="" - REPO="xen-unstable.hg" - EHG_REPO_URI="http://xenbits.xensource.com/${REPO}" - S="${WORKDIR}/${REPO}" - live_eclass="mercurial" -else - KEYWORDS="~amd64 ~x86" - SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" -fi - -inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass} - -DESCRIPTION="The Xen virtual machine monitor" -HOMEPAGE="http://xen.org/" -LICENSE="GPL-2" -SLOT="0" -IUSE="custom-cflags debug efi flask pae xsm" - -DEPEND="${PYTHON_DEPS} - efi? ( >=sys-devel/binutils-2.22[multitarget] ) - !efi? ( >=sys-devel/binutils-2.22[-multitarget] )" -RDEPEND="" -PDEPEND="~app-emulation/xen-tools-${PV}" - -RESTRICT="test" - -# Approved by QA team in bug #144032 -QA_WX_LOAD="boot/xen-syms-${PV}" - -REQUIRED_USE="flask? ( xsm )" - -pkg_setup() { - python-any-r1_pkg_setup - if [[ -z ${XEN_TARGET_ARCH} ]]; then - if use x86 && use amd64; then - die "Confusion! Both x86 and amd64 are set in your use flags!" - elif use x86; then - export XEN_TARGET_ARCH="x86_32" - elif use amd64; then - export XEN_TARGET_ARCH="x86_64" - else - die "Unsupported architecture!" - fi - fi - - if use flask ; then - export "XSM_ENABLE=y" - export "FLASK_ENABLE=y" - elif use xsm ; then - export "XSM_ENABLE=y" - fi -} - -src_prepare() { - # Drop .config and fix gcc-4.6 - epatch "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch - - if use efi; then - epatch "${FILESDIR}"/${PN}-4.2-efi.patch - export EFI_VENDOR="gentoo" - export EFI_MOUNTPOINT="boot" - fi - - # if the user *really* wants to use their own custom-cflags, let them - if use custom-cflags; then - einfo "User wants their own CFLAGS - removing defaults" - # try and remove all the default custom-cflags - find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ - -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ - -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ - -i {} \; || die "failed to re-set custom-cflags" - fi - - # not strictly necessary to fix this - sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py" - - #Security patches - - epatch_user -} - -src_configure() { - use debug && myopt="${myopt} debug=y" - use pae && myopt="${myopt} pae=y" - - if use custom-cflags; then - filter-flags -fPIE -fstack-protector - replace-flags -O3 -O2 - else - unset CFLAGS - fi -} - -src_compile() { - # Send raw LDFLAGS so that --as-needed works - emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt} -} - -src_install() { - local myopt - use debug && myopt="${myopt} debug=y" - use pae && myopt="${myopt} pae=y" - - # The 'make install' doesn't 'mkdir -p' the subdirs - if use efi; then - mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die - fi - - emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install -} - -pkg_postinst() { - elog "Official Xen Guide and the unoffical wiki page:" - elog " http://www.gentoo.org/doc/en/xen-guide.xml" - elog " http://en.gentoo-wiki.com/wiki/Xen/" - - use pae && ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" - use efi && einfo "The efi executable is installed in boot/efi/gentoo" -} |