Bug 28530 - [Update candidate] xen packages fix new security issues (CVE-2021-26933 and CVE-2021-26934)
Summary: [Update candidate] xen packages fix new security issues (CVE-2021-26933 and C...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-03-05 16:23 CET by Thierry Vignaud
Modified: 2021-07-13 10:49 CEST (History)
3 users (show)

See Also:
Source RPM: xen-4.14.1-1.mga8
CVE: CVE-2021-26933, CVE-2021-26934
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thierry Vignaud 2021-03-05 16:23:05 CET 
Build: http://pkgsubmit.mageia.org/uploads/done/8/core/updates_testing/20210305081520.tv.duvel.8597/

Advisory:
==========
This update of xen add support for zstd dom0 & guest as well as fixes several security issues:
 - Linux: display frontend "be-alloc" mode is unsupported (comment only)
        [XSA-363, CVE-2021-26934] (rhbz#1929549)
- arm: The cache may not be cleaned for newly allocated scrubbed pages
        [XSA-364, CVE-2021-26933] (rhbz#1929547)
- backport upstream zstd dom0 and guest patches
- add weak dependency on grub modules to improve initial boot setup
- IRQ vector leak on x86 [XSA-360]

List of packages:
=================
libxen3.0-4.14.1-1.mga8.i586.rpm
libxen3.0-debuginfo-4.14.1-1.mga8.i586.rpm
libxen-devel-4.14.1-1.mga8.i586.rpm
ocaml-xen-4.14.1-1.mga8.i586.rpm
ocaml-xen-debuginfo-4.14.1-1.mga8.i586.rpm
ocaml-xen-devel-4.14.1-1.mga8.i586.rpm
xen-4.14.1-1.mga8.i586.rpm
xen-debuginfo-4.14.1-1.mga8.i586.rpm
xen-debugsource-4.14.1-1.mga8.i586.rpm
xen-doc-4.14.1-1.mga8.noarch.rpm
xen-hypervisor-4.14.1-1.mga8.i586.rpm
xen-licenses-4.14.1-1.mga8.i586.rpm
xen-runtime-4.14.1-1.mga8.i586.rpm
xen-runtime-debuginfo-4.14.1-1.mga8.i586.rpm


lib64xen3.0-4.14.1-1.mga8.x86_64.rpm
lib64xen3.0-debuginfo-4.14.1-1.mga8.x86_64.rpm
lib64xen-devel-4.14.1-1.mga8.x86_64.rpm
ocaml-xen-4.14.1-1.mga8.x86_64.rpm
ocaml-xen-debuginfo-4.14.1-1.mga8.x86_64.rpm
ocaml-xen-devel-4.14.1-1.mga8.x86_64.rpm
xen-4.14.1-1.mga8.x86_64.rpm
xen-debuginfo-4.14.1-1.mga8.x86_64.rpm
xen-debugsource-4.14.1-1.mga8.x86_64.rpm
xen-doc-4.14.1-1.mga8.noarch.rpm
xen-hypervisor-4.14.1-1.mga8.x86_64.rpm
xen-licenses-4.14.1-1.mga8.x86_64.rpm
xen-runtime-4.14.1-1.mga8.x86_64.rpm
xen-runtime-debuginfo-4.14.1-1.mga8.x86_64.rpm

(similar for armv7/aarch64)
Nicolas Lécureuil 2021-03-07 20:11:22 CET

CC: (none) => mageia
QA Contact: (none) => security

David Walser 2021-03-07 22:07:13 CET

Component: RPM Packages => Security

Comment 1 Dave Hodgins 2021-04-03 09:55:38 CEST 
http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/release/has xen-4.14.1-1.mga8.x86_64.rpm
http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/
has xen-4.14.1-1.mga8.x86_64.rpm

Looks like release bump was missed.

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2021-04-03 15:33:35 CEST 
Couldn't get the release version working with refind, so tried with grub2.

While it's no longer necessary to manually add a grub entry, I didn't figure
out how to change just the xen command line parameters, so just changed it
for all boots so in xen, /proc/cmdline has ...
placeholder root=UUID=1f3bf0c9-719c-4c75-b8e5-f03203154de0 ro noiswmd modprobedebug audit=0 nouveau.modeset=0 resume=LABEL=e1swap dom0_mem=4096MB vga=794

Xorg is failing to start with ...
[    25.736] (II) UnloadModule: "fbdev"
[    25.736] (II) Unloading fbdev
[    25.736] (II) UnloadSubModule: "fbdevhw"
[    25.736] (II) Unloading fbdevhw
[    25.736] (II) UnloadModule: "vesa"
[    25.736] (II) Unloading vesa
[    25.737] (II) NVIDIA: Using 24576.00 MB of virtual memory for indirect memory
[    25.737] (II) NVIDIA:     access.
[    25.743] (EE) NVIDIA(0): Failed to allocate shared surface
[    25.788] (EE) 
Fatal server error:
[    25.788] (EE) AddScreen/ScreenInit failed for driver 0

On a normal Mageia boot, the corresponding section has ...
[    16.769] (II) NVIDIA: Using 24576.00 MB of virtual memory for indirect memory
[    16.769] (II) NVIDIA:     access.
[    16.815] (II) NVIDIA(0): Setting mode "NULL"
[    16.829] (==) NVIDIA(0): Disabling shared memory pixmaps

The system has 16GB Ram, 32GB swap.

For xorg, I'm using mageia-prime with
# lspcidrake -v|grep Card
Card:ATI Volcanic Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Renoir [DISPLAY_VGA] (vendor:1002 device:1636 subv:1043 subd:1e21) (rev: c6)
Card:NVIDIA GeForce 635 series and later: NVIDIA Corporation|TU106M [GeForce RTX 2060 Mobile] [DISPLAY_VGA] (vendor:10de device:1f15 subv:1043 subd:1e21) (rev: a1)

When the update with the bumped release is available, I'll just be checking
that the updates install cleanly over the current version, unless someone
can figure out what's needed to get this running.
Comment 3 Dave Hodgins 2021-04-03 16:06:48 CEST 
The existing xen also has an boot delaying bug with ...
Xen boot entries ask for nonexistent grub2 module2.mod

https://bugzilla.redhat.com/show_bug.cgi?id=1858364#c12
has a fix for that one.

This is with the release version packages isntalled for ...
grub2-emu-modules-2.04.0-29.mga8
grub2-mageia-theme-2.04.0-29.mga8
grub2-emu-2.04.0-29.mga8
grub2-common-2.04.0-29.mga8
grub2-efi-2.04.0-29.mga8
Comment 4 Aurelien Oudelet 2021-07-13 10:48:59 CEST 
Ping ? 101 days since last action here.

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-26933, CVE-2021-26934
Summary: [Update candidate] xen => [Update candidate] xen packages fix new security issues (CVE-2021-26933

Aurelien Oudelet 2021-07-13 10:49:13 CEST

Summary: [Update candidate] xen packages fix new security issues (CVE-2021-26933 => [Update candidate] xen packages fix new security issues (CVE-2021-26933 and CVE-2021-26934)
Note You need to log in before you can comment on or make changes to this bug.