[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)


  • To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, xen-users <xen-users@xxxxxxxxxxxxxxxxxxxx>
  • From: Lars Kurth <lars.kurth@xxxxxxxxxx>
  • Date: Mon, 7 Aug 2017 12:19:54 +0000
  • Accept-language: en-GB, en-US
  • Delivery-date: Mon, 07 Aug 2017 12:48:48 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
  • Thread-index: AQHTD3d5lapn3aqw6U+xSsUnG712ZA==
  • Thread-topic: Scripts to check XSA patch-level on xen trees (xen.git, qemu-xen.git & qemu-xen-traditional.git)

Hi everyone,

I created a number of scripts primarily for checking whether we have applied 
all patches correctly for point and major releases. However, these may be 
useful for developers, users and xen packagers. 

The tool will be run as part of the Release Manager Checklist: see
https://lists.xenproject.org/archives/html/xen-devel/2017-07/threads.html#03091

Feedback is very welcome. 

I can make changes as needed when I have some spare cycles, but am 
ultimately looking for someone who is willing to act as maintainer for the 
scripts in the long run (as I am not really a developer any more).

Best Regards
Lars

== Script location ==

https://xenbits.xenproject.org/gitweb/?p=people/larsk/xen-release-scripts.git
README in top level directory

== Attached files ==

I attached the output and input of a test run on Xen 4.8.1 to the tip of the 
stable branch.

Input: xsa-213-225
Output: 481-stable-xsamatch-smartd.html

However, the DEBUG links won’t work unless you actually run 
the script and have the generated directory. To make it easier,
I attached screenshots of actual diffs:

xsa218-diff.png & xsa224-diff.png

./match-xsa --version 4 --major 8 --since 1 --html --smart --debug -xsa  
xsa-213-225 >  481-stable-xsamatch-smartd.html

== Analysis of results ==

For the attached example, I did a quick sample analysis

> XSA 214 : All patches found => check as advisory text may be ambiguous 
> or cannot be fully parsed 
In this case the published advisory text contains a typo in the RESOLUTION 
section of the advisory, which is why the script asks for a manual check

> XSA 215 : No patch found => check
In this case “Xen versions 4.7 and later are not vulnerable”. However, the 
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.

>  XSA 218 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the 
committer at check-in into the 4.8 tree.

See xsa218-diff.png for the relevant difference

> XSA 221 : All patches found => check as advisory text may be ambiguous 
> or cannot be fully parsed
In this case “Xen versions 4.4 and newer are vulnerable”. However, the 
tool does not parse sentences, which is why this has been picked up as
a potential issue by the tool.

> XSA 224 : Some patches not applied => check
In this case, one of the patches in the advisory has been modified by the 
committer at check-in into the 4.8 tree.

See xsa224-diff.png for the relevant difference

 == Possible improvements ==

Right now, the tool either scrapes xenbits.xenproject.org/xsa for advisory
information, or it uses information that is only available to Xen Project
security team members. This means that there is somewhat of a gap
in terms of tool usability for people on the pre-disclosure list.  

In addition, XSA Advisories do not yet have a metadata section that is
easily machine readable. However, George Dunlap has been working on
this, which will appear in Advisory Texts in the future, at which point the
tool can be updated. This would avoid a few manual checks that are 
Necessary now. But even without, one picks up on possible issues very 
quickly.






Attachment: xsa-213-225
Description: xsa-213-225

CHECKING '../xsa-lists/xsa-213-225' against 'xen_481-stable.log', 'qemuu_481-stable.log' and 'qemut_481-stable.log'.

SUMMARY

Applied XSAs

  • XSA 213 : All patches found (no need to check)
  • XSA 214 : All patches found => check as advisory text may be ambiguous or cannot be fully parsed
  • XSA 215 : No patch found => check
  • XSA 216 : All patches found (no need to check)
  • XSA 217 : All patches found (no need to check)
  • XSA 218 : Some patches not applied => check
  • XSA 219 : All patches found (no need to check)
  • XSA 220 : All patches found (no need to check)
  • XSA 221 : All patches found => check as advisory text may be ambiguous or cannot be fully parsed
  • XSA 222 : All patches found (no need to check)
  • XSA 223 : All patches found (no need to check)
  • XSA 224 : Some patches not applied => check
  • XSA 225 : All patches found (no need to check)

DETAILS

XSA 213

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 214

Other comparisons (can probably be ignored):

Excerpt from XSA

XSA 215

Other comparisons (can probably be ignored):

Excerpt from XSA

    VULNERABLE SYSTEMS
    ==================
    
    64-bit Xen versions 4.6 and earlier are vulnerable.  Xen versions 4.7
    and later are not vulnerable.
    
    Only x86 systems are affected.  ARM systems are not vulnerable.
    
    Only x86 systems with physical memory extending to a configuration
    dependent boundary (5Tb or 3.5Tb) may be affected.  Whether they are
    actually affected depends on actual physical memory layout.
    
    The vulnerability is only exposed to 64-bit PV guests.  HVM guests and
    32-bit PV guests can't exploit the vulnerability.
    

XSA 216

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 217

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 218

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

Excerpt from XSA

XSA 219

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 220

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 221

Other comparisons (can probably be ignored):

Excerpt from XSA

    VULNERABLE SYSTEMS
    ==================
    
    Xen versions 4.4 and newer are vulnerable.  Xen versions 4.3 and
    earlier are not affected.
    
    Both x86 and ARM systems are vulnerable.
    
    While all guest kinds can cause a Denial of Service, only x86 PV guests
    may be able to leverage the possible information leaks.
    
    RESOLUTION
    ==========
    
    Applying the appropriate attached patch resolves this issue.
    
    xsa221.patch           Xen 4.4.x and later, including xen-unstable
    
    $ sha256sum xsa221*
    2425396a713466808b0f75f91337be4dd20a4dee7733972b04489773c6e97655  xsa221.patch
    $
    

XSA 222

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

XSA 223

Comparisons specific to 4.8:

XSA 224

Comparisons specific to 4.8:

Other comparisons (can probably be ignored):

Excerpt from XSA

XSA 225

Comparisons specific to 4.8:

Attachment: xsa218-diff.png
Description: xsa218-diff.png

Attachment: xsa224-diff.png
Description: xsa224-diff.png

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
https://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.