CVS commit: [pkgsrc-2015Q1] pkgsrc/sysutils/xenkernel45

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2015Q1] pkgsrc/sysutils/xenkernel45
From: "S.P.Zeidler" <spz%netbsd.org@localhost>
Date: Sat, 13 Jun 2015 09:13:34 +0000

Module Name:    pkgsrc
Committed By:   spz
Date:           Sat Jun 13 09:13:34 UTC 2015

Modified Files:
        pkgsrc/sysutils/xenkernel45 [pkgsrc-2015Q1]: Makefile distinfo
Added Files:
        pkgsrc/sysutils/xenkernel45/patches [pkgsrc-2015Q1]:
            patch-CVE-2015-3456

Log Message:
Pullup ticket #4743 - requested by khorben
sysutils/xenkernel45: security patch

Revisions pulled up:
- sysutils/xenkernel45/Makefile                                 1.8
- sysutils/xenkernel45/distinfo                                 1.7
- sysutils/xenkernel45/patches/patch-CVE-2015-3456              1.1

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        khorben
   Date:                Fri Jun  5 17:15:04 UTC 2015

   Modified Files:
        pkgsrc/sysutils/xenkernel45: Makefile distinfo
   Added Files:
        pkgsrc/sysutils/xenkernel45/patches: patch-CVE-2015-3456

   Log Message:
   Apply fixes from upstream for XSA-133

   Privilege escalation via emulated floppy disk drive

   The code in qemu which emulates a floppy disk controller did not
   correctly bounds check accesses to an array and therefore was
   vulnerable to a buffer overflow attack.

   A guest which has access to an emulated floppy device can exploit this
   vulnerability to take over the qemu process elevating its privilege to
   that of the qemu process.

   All Xen systems running x86 HVM guests without stubdomains are
   vulnerable to this depending on the specific guest configuration. The
   default configuration is vulnerable.

   Guests using either the traditional "qemu-xen" or upstream qemu device
   models are vulnerable.
   Guests using a qemu-dm stubdomain to run the device model are only
   vulnerable to takeover of that service domain.

   Systems running only x86 PV guests are not vulnerable.
   ARM systems are not vulnerable.

   To generate a diff of this commit:
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/sysutils/xenkernel45/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/sysutils/xenkernel45/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456


To generate a diff of this commit:
cvs rdiff -u -r1.5.2.2 -r1.5.2.3 pkgsrc/sysutils/xenkernel45/Makefile
cvs rdiff -u -r1.4.2.2 -r1.4.2.3 pkgsrc/sysutils/xenkernel45/distinfo
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/sysutils/xenkernel45/patches/patch-CVE-2015-3456

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2015Q1] pkgsrc/sysutils/xentools45
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2015Q1] pkgsrc/sysutils/xentools45
Indexes:

Home | Main Index | Thread Index | Old Index