CVE-2018-12892

Priority
Description
An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the
readonly flag to qemu when setting up a SCSI disk, due to what was probably
an erroneous merge conflict resolution. Malicious guest administrators or
(in some situations) users may be able to write to supposedly read-only
disk images. Only emulated SCSI disks (specified as "sd" in the libxl disk
configuration, or an equivalent) are affected. IDE disks ("hd") are not
affected (because attempts to make them readonly are rejected).
Additionally, CDROM devices (that is, devices specified to be presented to
the guest as CDROMs, regardless of the nature of the backing storage on the
host) are not affected; they are always read only. Only systems using
qemu-xen (rather than qemu-xen-traditional) as the device model version are
vulnerable. Only systems using libxl or libxl-based toolstacks are
vulnerable. (This includes xl, and libvirt with the libxl driver.) The
vulnerability is present in Xen versions 4.7 and later. (In earlier
versions, provided that the patch for XSA-142 has been applied, attempts to
create read only disks are rejected.) If the host and guest together
usually support PVHVM, the issue is exploitable only if the malicious guest
administrator has control of the guest kernel or guest kernel command line.
Notes
 mdeslaur> hypervisor packages are in universe. For
 mdeslaur> issues in the hypervisor, add appropriate
 mdeslaur> tags to each section, ex:
 mdeslaur> Tags_xen: universe-binary
Package
Source: xen (LP Ubuntu Debian)
Upstream:released (4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
More Information

Updated: 2019-08-23 07:51:11 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)