Bug 33082

Summary:	xen new security issues CVE-2024-31142 and CVE-2024-2201
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	xen-4.18.0-5.mga10.src.rpm	CVE:	CVE-2024-31142, CVE-2024-2201
Status comment:	Fixed upstream in 4.18.2 and 4.17.4
Attachments:	Commands testing xen

Description Nicolas Salguero 2024-04-10 11:36:16 CEST

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/04/09/14
https://www.openwall.com/lists/oss-security/2024/04/09/15

For Cauldron, version 4.18.2 solves those problems.
For Mageia 9, version 4.17.4 solves those problems.

Nicolas Salguero 2024-04-10 11:37:05 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-31142, CVE-2024-2201
Status comment: (none) => Fixed upstream in 4.18.2 and 4.17.4
Source RPM: (none) => xen-4.18.0-5.mga10.src.rpm

Comment 1 Lewis Smith 2024-04-10 20:57:58 CEST

We only just have version 4.18.1 in Cauldron!
Different packagers handle xen, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-04-11 15:45:23 CEST

xen-4.18.2-1.mga10 failed to build with:
"""
checking ABI=64
checking compiler gcc -mno-red-zone -O1 -fno-omit-frame-pointer -O1 -fno-omit-frame-pointer  -m64 -mno-red-zone -fno-reorder-blocks -fno-asynchronous-unwind-tables -m64 -DBUILD_ID -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-but-set-variable -Wno-unused-local-typedefs -Wno-error=array-bounds   -fno-pie -fno-stack-protector -fno-exceptions -fno-asynchronous-unwind-tables -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/cross-root-x86_64/x86_64-xen-elf/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include -D__MINIOS__ -DHAVE_LIBC -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/posix -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../tools/include  -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/x86 -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/x86/x86_64 -U __linux__ -U __FreeBSD__ -U __sun__ -nostdinc -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/posix -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/cross-root-x86_64/x86_64-xen-elf/include -isystem /usr/lib/gcc/x86_64-mageia-linux/14/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/lwip-x86_64/src/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/lwip-x86_64/src/include/ipv4 -I/home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/include -I/home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../xen/include... no, long long reliability test 1
checking ABI=32
checking compiler gcc -mno-red-zone -O1 -fno-omit-frame-pointer -O1 -fno-omit-frame-pointer  -m64 -mno-red-zone -fno-reorder-blocks -fno-asynchronous-unwind-tables -m64 -DBUILD_ID -fno-strict-aliasing -std=gnu99 -Wall -Wstrict-prototypes -Wno-unused-but-set-variable -Wno-unused-local-typedefs -Wno-error=array-bounds   -fno-pie -fno-stack-protector -fno-exceptions -fno-asynchronous-unwind-tables -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/cross-root-x86_64/x86_64-xen-elf/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include -D__MINIOS__ -DHAVE_LIBC -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/posix -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../tools/include  -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/x86 -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/x86/x86_64 -U __linux__ -U __FreeBSD__ -U __sun__ -nostdinc -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../extras/mini-os/include/posix -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/cross-root-x86_64/x86_64-xen-elf/include -isystem /usr/lib/gcc/x86_64-mageia-linux/14/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/lwip-x86_64/src/include -isystem /home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/lwip-x86_64/src/include/ipv4 -I/home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/include -I/home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom/../xen/include... no, long long reliability test 1
configure: error: could not find a working compiler, see config.log for details
make: *** [Makefile:192: gmp-x86_64] Error 1
make: Leaving directory '/home/iurt/rpmbuild/BUILD/xen-4.18.2/stubdom'
"""

See: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20240411130648.ns80.duvel.3501848/xen-4.18.2-1.mga10/build.x86_64.0.20240411132546.log

Comment 3 Nicolas Salguero 2024-04-11 16:10:05 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Incorrect logic for BTC/SRSO mitigations. (CVE-2024-31142)

Native Branch History Injection. (CVE-2024-2201)

References:
https://www.openwall.com/lists/oss-security/2024/04/09/14
https://www.openwall.com/lists/oss-security/2024/04/09/15
========================

Updated packages in core/updates_testing:
========================
lib(64)xen3.0-4.17.4-1.mga9
lib(64)xen-devel-4.17.4-1.mga9
ocaml-xen-4.17.4-1.mga9
ocaml-xen-devel-4.17.4-1.mga9
xen-4.17.4-1.mga9
xen-hypervisor-4.17.4-1.mga9
xen-licenses-4.17.4-1.mga9
xen-runtime-4.17.4-1.mga9

from SRPM:
xen-4.17.4-1.mga9.src.rpm

katnatek 2024-04-13 04:39:29 CEST

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs
Keywords: (none) => advisory

Comment 4 katnatek 2024-04-13 04:46:40 CEST

RH mageia 9 x86_64

 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  edk2-ovmf-xen                  20221117git> 7.mga9        noarch  (recommended)
  python3-lxml                   4.9.2        1.mga9        x86_64  
(medium "Core Updates (distrib3)")
  kernel-server                  6.6.22       1.mga9        x86_64  
(command line)
  lib64xen-devel                 4.17.4       1.mga9        x86_64  
  lib64xen3.0                    4.17.4       1.mga9        x86_64  
  ocaml-xen                      4.17.4       1.mga9        x86_64  
  ocaml-xen-devel                4.17.4       1.mga9        x86_64  
  xen                            4.17.4       1.mga9        x86_64  
  xen-hypervisor                 4.17.4       1.mga9        x86_64  
  xen-licenses                   4.17.4       1.mga9        x86_64  
  xen-runtime                    4.17.4       1.mga9        x86_64  
193MB of additional disk space will be used.
115MB of packages will be retrieved.
Proceed with the installation of the 11 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-lxml-4.9.2-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/edk2-ovmf-xen-20221117gitfff6d81270b5-7.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/kernel-server-6.6.22-1.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/kernel-server-6.6.22-1.mga9.x86_64.rpm                                                 
/home/katnatek/qa-testing/x86_64/xen-hypervisor-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-licenses-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-4.17.4-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/python3-lxml-4.9.2-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/ocaml-xen-devel-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64xen3.0-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-runtime-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64xen-devel-4.17.4-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/ocaml-xen-4.17.4-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/edk2-ovmf-xen-20221117gitfff6d81270b5-7.mga9.noarch.rpm
Preparing...                     ######################################################################################
     1/11: xen-licenses          ######################################################################################
     2/11: lib64xen3.0           ######################################################################################
     3/11: lib64xen-devel        ######################################################################################
     4/11: ocaml-xen             ######################################################################################
     5/11: edk2-ovmf-xen         ######################################################################################
     6/11: xen-hypervisor        ######################################################################################
Generating grub configuration file ...
Found theme: /boot/grub2/themes/maggy/theme.txt
Found linux image: /boot/vmlinuz-6.6.22-desktop-1.mga9
Found initrd image: /boot/initrd-6.6.22-desktop-1.mga9.img
Found linux image: /boot/vmlinuz-6.6.22-desktop-1.mga9
Found initrd image: /boot/initrd-6.6.22-desktop-1.mga9.img
Found memtest image: /boot/memtest
Adding boot menu entry for UEFI Firmware Settings ...
done
     7/11: python3-lxml          ######################################################################################
     8/11: kernel-server         ######################################################################################
     9/11: xen-runtime           ######################################################################################
Created symlink /etc/systemd/system/multi-user.target.wants/xenstored.service -> /usr/lib/systemd/system/xenstored.service.
Created symlink /etc/systemd/system/multi-user.target.wants/xenconsoled.service -> /usr/lib/systemd/system/xenconsoled.service.
    10/11: xen                   ######################################################################################
Created symlink /etc/systemd/system/multi-user.target.wants/xendomains.service -> /usr/lib/systemd/system/xendomains.service.
    11/11: ocaml-xen-devel       ######################################################################################
      1/5: removing ocaml-xen-devel-4.17.3-1.1.mga9.x86_64
                                 ######################################################################################
      2/5: removing lib64xen-devel-4.17.3-1.1.mga9.x86_64
                                 ######################################################################################
      3/5: removing ocaml-xen-4.17.3-1.1.mga9.x86_64
                                 ######################################################################################
      4/5: removing lib64xen3.0-4.17.3-1.1.mga9.x86_64
                                 ######################################################################################
      5/5: removing xen-licenses-4.17.3-1.1.mga9.x86_64
                                 ######################################################################################
remove-boot-splash: Format of /boot/initrd-6.6.22-server-1.mga9.img not recognized
You should restart your computer for kernel-server

Tomorrow the rest of the test

Comment 5 katnatek 2024-04-14 02:52:25 CEST

Created attachment 14498 [details]
Commands testing xen

RH mageia 9 x86_64

Boot Mageia with Xen HyoerVisor

Still see the warning at boot time reported https://bugs.mageia.org/show_bug.cgi?id=32905#c10

Run the same commands as in https://bugs.mageia.org/show_bug.cgi?id=32905#c11
Looks good

katnatek 2024-04-14 02:52:46 CEST

CC: (none) => andrewsfarm

katnatek 2024-04-14 02:53:03 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2024-04-14 16:36:25 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-04-15 20:22:35 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0128.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED