Xen官网安全更新（2023-10-10）

Multiple vulnerabilities in libfsimage disk handling

<br/><br/><br/>XSA-443 - Xen Security Advisories<br/><br/><br/><br/>InformationAdvisory XSA-443Public release 2023-10-10 12:00Updated 2023-10-10 12:09Version 3CVE(s) CVE-2023-34325Title Multiple vulnerabilities in libfsimage disk handlingFilesadvisory-443.txt (signed advisory file)xsa443/xsa443-01.patchxsa443/xsa443-02.patchxsa443/xsa443-03.patchxsa443/xsa443-4.15-01.patchxsa443/xsa443-4.15-02.patchxsa443/xsa443-4.15-03.patchxsa443/xsa443-4.15-04.patchxsa443/xsa443-4.15-05.patchxsa443/xsa443-4.15-06.patchxsa443/xsa443-4.15-07.patchxsa443/xsa443-4.15-08.patchxsa443/xsa443-4.15-09.patchxsa443/xsa443-4.15-10.patchxsa443/xsa443-4.15-11.patchxsa443/xsa443-4.16-01.patchxsa443/xsa443-4.16-02.patchxsa443/xsa443-4.16-03.patchxsa443/xsa443-4.16-04.patchxsa443/xsa443-4.16-05.patchxsa443/xsa443-4.16-06.patchxsa443/xsa443-4.16-07.patchxsa443/xsa443-4.16-08.patchxsa443/xsa443-4.16-09.patchxsa443/xsa443-4.16-10.patchxsa443/xsa443-4.16-11.patchxsa443/xsa443-4.17-01.patchxsa443/xsa443-4.17-02.patchxsa443/xsa443-4.17-03.patchxsa443/xsa443-4.17-04.patchxsa443/xsa443-4.17-05.patchxsa443/xsa443-4.17-06.patchxsa443/xsa443-4.17-07.patchxsa443/xsa443-4.17-08.patchxsa443/xsa443-4.17-09.patchxsa443/xsa443-4.17-10.patchxsa443/xsa443-4.17-11.patchxsa443/xsa443-04.patchxsa443/xsa443-05.patchxsa443/xsa443-06.patchxsa443/xsa443-07.patchxsa443/xsa443-08.patchxsa443/xsa443-09.patchxsa443/xsa443-10.patchxsa443/xsa443-11.patchAdvisory-----BEGIN PGP SIGNED MESSAGE-----<br/>Hash: SHA256<br/><br/> Xen Security Advisory CVE-2023-34325 / XSA-443<br/> version 3<br/><br/> Multiple vulnerabilities in libfsimage disk handling<br/><br/>UPDATES IN VERSION 3<br/>====================<br/><br/>Public release.<br/><br/>ISSUE DESCRIPTION<br/>=================<br/><br/>libfsimage contains parsing code for several filesystems, most of them based on<br/>grub-legacy code. libfsimage is used by pygrub to inspect guest disks.<br/><br/>Pygrub runs as the same user as the toolstack (root in a priviledged domain).<br/><br/>At least one issue has been reported to the Xen Security Team that allows an<br/>attacker to trigger a stack buffer overflow in libfsimage. After further<br/>analisys the Xen Security Team is no longer confident in the suitability of<br/>libfsimage when run against guest controlled input with super user priviledges.<br/><br/>In order to not affect current deployments that rely on pygrub patches are<br/>provided in the resolution section of the advisory that allow running pygrub in<br/>deprivileged mode.<br/><br/>IMPACT<br/>======<br/><br/>A guest using pygrub can escalate its privilege to that of the domain<br/>construction tools (i.e., normally, to control of the host).<br/><br/>VULNERABLE SYSTEMS<br/>==================<br/><br/>All Xen versions are affected.<br/><br/>MITIGATION<br/>==========<br/><br/>Ensuring that guests do not use the pygrub bootloader will avoid this<br/>vulnerability.<br/><br/>For cases where the PV guest is known to be 64bit, and uses grub2 as a<br/>bootloader, pvgrub is a suitable alternative pygrub.<br/><br/>Running only HVM guests will avoid the vulnerability.<br/><br/>CREDITS<br/>=======<br/><br/>This issue was discovered by Ferdinand Nölscher of Google.<br/><br/>RESOLUTION<br/>==========<br/><br/>Applying patches 1-4 resolves the libfsimage XFS stack overflow. Applying<br/>patches 5-11 add additional functionality to pygrub and libxl in order to run<br/>pygrub in a restricted environment using a specific UID. Check xl.cfg man page<br/>for information on the bootloader_restrict option.<br/><br/>Note that patches for released versions are generally prepared to<br/>apply to the stable branches, and may not apply cleanly to the most<br/>recent release tarball. Downstreams are encouraged to update to the<br/>tip of the stable branch before applying these patches.<br/><br/>xsa443/xsa443-??.patch xen-unstable<br/>xsa443/xsa443-4.17-??.patch Xen 4.17.x<br/>xsa443/xsa443-4.16-??.patch Xen 4.16.x<br/>xsa443/xsa443-4.15-??.patch Xen 4.15.x<br/><br/>$ sha256sum xsa443*/*<br/>d2b306efd35b1e207904f4142be724c4b70bacafae73f8efd5ee12570eb235a1 xsa443/xsa443-01.patch<br/>3af33399c9966465ef65461c344fe0c3184a21a59830de8e3701122cda4f5483 xsa443/xsa443-02.patch<br/>a260be66f02307143d9e776cac2b95735011056bebd718f175680f879563ea21 xsa443/xsa443-03.patch<br/>170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648 xsa443/xsa443-4.15-01.patch<br/>16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1 xsa443/xsa443-4.15-02.patch<br/>13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea xsa443/xsa443-4.15-03.patch<br/>1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4 xsa443/xsa443-4.15-04.patch<br/>115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6 xsa443/xsa443-4.15-05.patch<br/>5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0 xsa443/xsa443-4.15-06.patch<br/>a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c xsa443/xsa443-4.15-07.patch<br/>165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f xsa443/xsa443-4.15-08.patch<br/>fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835 xsa443/xsa443-4.15-09.patch<br/>48936926848af29786490dd6db3dcfaf8ed8443f1d6ae896dcb95c930e2f4c21 xsa443/xsa443-4.15-10.patch<br/>213b6a45198869869248b2e3c096fd327f7b0cccbd68faa12335134172c7c908 xsa443/xsa443-4.15-11.patch<br/>170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648 xsa443/xsa443-4.16-01.patch<br/>16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1 xsa443/xsa443-4.16-02.patch<br/>13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea xsa443/xsa443-4.16-03.patch<br/>1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4 xsa443/xsa443-4.16-04.patch<br/>115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6 xsa443/xsa443-4.16-05.patch<br/>5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0 xsa443/xsa443-4.16-06.patch<br/>a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c xsa443/xsa443-4.16-07.patch<br/>165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f xsa443/xsa443-4.16-08.patch<br/>fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835 xsa443/xsa443-4.16-09.patch<br/>c9538238f4b636b7d093a59610b0eab2e7fd409a7cc9e988d006bee4c9b944f7 xsa443/xsa443-4.16-10.patch<br/>62147de7a6b8a0073c7abe204da25e94871a32c4e3851f9feccf065976dc0267 xsa443/xsa443-4.16-11.patch<br/>3322213303481fea964cf18e09b172d42caf21fe662c947ae6ddc0d8a1789fa1 xsa443/xsa443-4.17-01.patch<br/>02cf94559407d693ef2dcfc47671b63f5f27019dd759bae3b5eaaa922fb4ea74 xsa443/xsa443-4.17-02.patch<br/>189bef69380d6fbd7f571b2fe11908bac26a650e2b0d040e12b8c1266373f8c8 xsa443/xsa443-4.17-03.patch<br/>cdb4f0dd47a6c8a759ae4ffd400f2ce72675b8779ca5576dea74e372ca77a021 xsa443/xsa443-4.17-04.patch<br/>2147dcf95b1ad36da0961e2c084072fa9eb59486e9c0ed43444d268a17d01ee1 xsa443/xsa443-4.17-05.patch<br/>a523273792a77fa55a7ab8925369edcb9d9ae50e8e9236be43f23e66aaa0f5e2 xsa443/xsa443-4.17-06.patch<br/>54f97e027c80bfed8e3559ba8d89a69d2f4c48e1017c2090af029a01efe49741 xsa443/xsa443-4.17-07.patch<br/>79667e7b8fbfa43f9135ba14ca364c63e1e7e7c3a68ae12513fe0204e57fa2bd xsa443/xsa443-4.17-08.patch<br/>11125e8da5f9e8313d943e6cbba2ff160478681c290b1413c88113292cca91c4 xsa443/xsa443-4.17-09.patch<br/>113bbc294e10be4e8bf9855536114f875add033f790504f5c744b38da85d1b11 xsa443/xsa443-4.17-10.patch<br/>7e5c7d4ef0b148ce9421c1856ced8b023bae22abc8e13956fe2832628c9d4189 xsa443/xsa443-4.17-11.patch<br/>eb81bcbaf1016bce77696c1f2f5cd90b22e11eaa02d15c36c4c704b02981c50d xsa443/xsa443-04.patch<br/>5a099d8bf6a06e318f9ff92491ae4191fd2a3f8637a3c9616173bd2c7d56dbb6 xsa443/xsa443-05.patch<br/>32733ee7dd1baf81338d50532876f211660dd65eb44f3ea121604b4c897ba30f xsa443/xsa443-06.patch<br/>9dfe8e70ed3007dbe46de75d6790baa770d91ac42d6abf642ca0f11b8b2d6b6d xsa443/xsa443-07.patch<br/>b8040da4d2ef22ed9f96e1648fa8c4682f82bce2d17bbdd9f2250c48f8858d10 xsa443/xsa443-08.patch<br/>4b0fa7efd271de010943a2974e178d6e9c44c5181a94fc58ddd3f9ecd953d572 xsa443/xsa443-09.patch<br/>f1b97a6ee5dc15a2b85ffde12242eb65d885b244419f34d737eb4489769f7224 xsa443/xsa443-10.patch<br/>eafccd01a5458baf2a7f39b3e533fd3638d6f728078c437247dc712856422706 xsa443/xsa443-11.patch<br/>$<br/><br/>DEPLOYMENT DURING EMBARGO<br/>=========================<br/><br/>Deployment of the patches and/or mitigations described above (or<br/>others which are substantially similar) is permitted during the<br/>embargo, even on public-facing systems with untrusted guest users and<br/>administrators.<br/><br/>But: Distribution of updated software is prohibited (except to other<br/>members of the predisclosure list).<br/><br/>Predisclosure list members who wish to deploy significantly different<br/>patches and/or mitigations, please contact the Xen Project Security<br/>Team.<br/><br/>(Note: this during-embargo deployment notice is retained in<br/>post-embargo publicly released Xen Project advisories, even though it<br/>is then no longer applicable. This is to enable the community to have<br/>oversight of the Xen Project Security Team&amp;#39;s decisionmaking.)<br/><br/>For more information about permissible uses of embargoed information,<br/>consult the Xen Project community&amp;#39;s agreed Security Policy:<br/> http://www.xenproject.org/security-policy.html<br/>-----BEGIN PGP SIGNATURE-----<br/><br/>iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlPtsMHHBncEB4ZW4u<br/>b3JnAAoJEIP+FMlX6CvZ6lMH/3f5DIVYOXpxa8SQoBSwvcqkaFvDTxYBZnB3EsyT<br/>LJu3qc4h02ocl+128vmn1f6L2yz9bC1aXZeQdipMQfyHkdZZtmG6RrEeqR53zD65<br/>s+r2eux/i5F5rTa//2IRfTuupWFbp7B8cHZGNFGWdL4US9KRC2ZqYOch701zz+FN<br/>bTPNME21WYhlohHN1o3VLfY0BfF3ESFkoRg4KCdSyuyl1JZlEg07X/azW/0VSo9K<br/>O3zbYo7kVEgqorWAYtZ8WMb/7DCO7lyHp88pFozQGtkE5oP00+nZioXG56kBH6+T<br/>3URgM26eI/EiECSqHi1v56Glcj9uAWnduCRCutrBmaNOR+E=<br/>=Grkm<br/>-----END PGP SIGNATURE-----<br/>Xenproject.org Security Team<br/><br/>

Xen 是一个开放源代码虚拟机监视器，由剑桥大学开发。它打算在单个计算机上运行多达100个满特征的操作系统。操作系统必须进行显式地修改（“移植”）以在Xen上运行（但是提供对用户应用的兼容性）。这使得Xen无需特殊硬件支持，就能达到高性能的虚拟化。

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34325">CVE-2023-34325</a></p>

暂无

暂无

http://xenbits.xen.org/xsa/advisory-443.html