From patchwork Tue Sep 19 15:03:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 815580 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="AxPfZWeu"; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xxR2r15DKz9s3T for ; Wed, 20 Sep 2017 01:03:31 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id A9E922DD0C; Tue, 19 Sep 2017 15:03:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQe4qmMyAzI3; Tue, 19 Sep 2017 15:03:23 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id BC08D2D62D; Tue, 19 Sep 2017 15:03:23 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id D747C1CEAAB for ; Tue, 19 Sep 2017 15:03:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D0C90819A5 for ; Tue, 19 Sep 2017 15:03:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wwpm1J2C9s8T for ; Tue, 19 Sep 2017 15:03:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by whitealder.osuosl.org (Postfix) with ESMTPS id 8995C8172D for ; Tue, 19 Sep 2017 15:03:21 +0000 (UTC) Received: by mail-wm0-f65.google.com with SMTP id f4so4147571wmh.4 for ; Tue, 19 Sep 2017 08:03:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=L4X5Oud77ifH4pPdZ9E49dbywNcdSaG2DBZron06RU0=; b=AxPfZWeuUW4RhAkJrk2IMOmjUY7vlp6cNE2aeIlNoEZJ44TwFIqGvezqCwDGT88/t6 HagHwRTs0KzYBns1y0vulA1qWzOX0utCxz/ffIULxCSEZm2PQS2SJhKyVJIQpUc9ODhV WzHWsP0c37aH9b8ZcMBqnMi3YkBiwn4IbiZ2TH/hS7e2p4jc7StFn/3zJI3GL/KTavlf /i3LxvPKeVkVDDGOkP4w/PvL9loj78xcUyvZPAWqwrmV3wx0HiCPM7hRBIpiJQloPfX6 1bSL+cwKJd3D73PIwylPUuL5DXtgNXbtiECPlG4cPWNomSMhYIOibJkdocZX42p8MEox 8WRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=L4X5Oud77ifH4pPdZ9E49dbywNcdSaG2DBZron06RU0=; b=fN8+f+/9IUV1Jtjx3Gt5FzexXRboxs/wKG6LYJkGzhjfcFewFgDjUd2y0b7keVPT+z eON5+9wXbX/ygU+guG0lVG8feh7s6NEyGcfzqYhNp4VrJVff5vfxDxK+bJea8/9q9zRE gT6yia+cQIKfrdi3GKgUntpSpwrAE07Mqao3Nm/bs9vCiXMRK/vn/3N9zJJLTpXGcZxM a4hsLqrQvi9KdA9+siNE8T4EfAs3nilWURCxUuxSHsHnDXtW5v6y6fENM3E0AeIyCNV6 x0HbZ1XMbpZN8+S9jsdIHsYeaYj+jzBlR/cen8ROEfMDzHgCbE/rpenuM356pXlWJHh7 etow== X-Gm-Message-State: AHPjjUiQ9liacAKDxGiFgMSglvUPUFIMJBxh+C9OpBpaAk9Jx+YU9nM2 nHW6nwYkwDRuDmY7BgazMkzHWVd7 X-Google-Smtp-Source: AOwi7QDgdE9h60rWjnnJc+DfBeKMSDP1DAP4+LD8hQLo7xsyt1vloH3ptueNTVMynWou9pPlAJ61XA== X-Received: by 10.80.216.66 with SMTP id v2mr1987178edj.121.1505833397999; Tue, 19 Sep 2017 08:03:17 -0700 (PDT) Received: from dell.be.48ers.dk (d51a5bc31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id 26sm5715037eds.5.2017.09.19.08.03.16 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 19 Sep 2017 08:03:17 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.88) (envelope-from ) id 1duK3Q-0008Gj-5F; Tue, 19 Sep 2017 17:03:16 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Tue, 19 Sep 2017 17:03:14 +0200 Message-Id: <20170919150314.31745-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Cc: alistair.francis@xilinx.com Subject: [Buildroot] [PATCH] xen: add upstream post-4.9.0 security fixes X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security issues: XSA-226: multiple problems with transitive grants (CVE-2017-12135) XSA-227: x86: PV privilege escalation via map_grant_ref (CVE-2017-12137) XSA-228: grant_table: Race conditions with maptrack free list handling (CVE-2017-12136) XSA-230: grant_table: possibly premature clearing of GTF_writing / GTF_reading (CVE-2017-12855) XSA-231: Missing NUMA node parameter verification (CVE-2017-14316) XSA-232: Missing check for grant table (CVE-2017-14318) XSA-233: cxenstored: Race in domain cleanup (CVE-2017-14317) XSA-234: insufficient grant unmapping checks for x86 PV guests (CVE-2017-14319) XSA-235: add-to-physmap error paths fail to release lock on ARM Signed-off-by: Peter Korsgaard Reviewed-by: Alistair Francis --- package/xen/xen.hash | 9 +++++++++ package/xen/xen.mk | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/package/xen/xen.hash b/package/xen/xen.hash index bcce39bd8b..3c5981a247 100644 --- a/package/xen/xen.hash +++ b/package/xen/xen.hash @@ -1,2 +1,11 @@ # Locally computed sha256 cade643fe3310d4d6f97d0c215c6fa323bc1130d7e64d7e2043ffaa73a96f33b xen-4.9.0.tar.gz +sha256 b09e07aaf422ae04a4ece5e2c5b5e54036cfae5b5c632bfc6953a0cacd6f60ff xsa226.patch +sha256 9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2 xsa227.patch +sha256 1979e111442517891b483e316a15a760a4c992ac4440f95e361ff12f4bebff62 xsa228.patch +sha256 77a73f1c32d083e315ef0b1bbb119cb8840ceb5ada790cad76cbfb9116f725cc xsa230.patch +sha256 71a53a5133c8d4e381dd0e3e54205d31dea545ab62b261084dd3aea140f88cad xsa231-4.9.patch +sha256 5068a78293daa58557c30c95141b775becfb650de6a5eda0d82a4a321ced551c xsa232.patch +sha256 f721cc49ba692b2f36299b631451f51d7340b8b4732f74c98f01cb7a80d8662b xsa233.patch +sha256 213f9d81a4ab785db67b9f579c9e88c9c8586c46b93f466a309060750df2df32 xsa234-4.9.patch +sha256 d8f012734fbf6019c1ff864744e308c41dfb9c7804ca3be2771c2c972cdf4bd5 xsa235-4.9.patch diff --git a/package/xen/xen.mk b/package/xen/xen.mk index 90e73853de..5bb18e6e34 100644 --- a/package/xen/xen.mk +++ b/package/xen/xen.mk @@ -6,6 +6,16 @@ XEN_VERSION = 4.9.0 XEN_SITE = https://downloads.xenproject.org/release/xen/$(XEN_VERSION) +XEN_PATCH = \ + https://xenbits.xenproject.org/xsa/xsa226.patch \ + https://xenbits.xenproject.org/xsa/xsa227.patch \ + https://xenbits.xenproject.org/xsa/xsa228.patch \ + https://xenbits.xenproject.org/xsa/xsa230.patch \ + https://xenbits.xenproject.org/xsa/xsa231-4.9.patch \ + https://xenbits.xenproject.org/xsa/xsa232.patch \ + https://xenbits.xenproject.org/xsa/xsa233.patch \ + https://xenbits.xenproject.org/xsa/xsa234-4.9.patch \ + https://xenbits.xenproject.org/xsa/xsa235-4.9.patch XEN_LICENSE = GPL-2.0 XEN_LICENSE_FILES = COPYING XEN_DEPENDENCIES = host-acpica host-python