Ubuntu
xen package

[SRU] Upgrade to 4.16.2 for Jammy and Kinetic

Bug #1978891 reported by Luís Infante da Câmara
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xen (Debian)
Fix Released
Unknown
xen (Ubuntu)
Won't Fix
Medium
Unassigned
Jammy
Won't Fix
Undecided
Unassigned

Bug Description

A new upstream maintenance release 4.16.2 is available.

[Test Plan]
For each CVE fixed by this release, test that it can be exploited with the current packages and that it cannot be exploited with the updated packages.

[Where problems could occur]
The source package has many packages in its reverse dependency/recommendation tree. The bug fixes and improvements in Xen may cause regressions in those packages and in software outside of the Ubuntu archive.

See original description
Luís Infante da Câmara (luis220413)
information type: Private Security → Public Security
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Patched packages will be uploaded to my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates) today.

description: updated
description: updated
Changed in xen (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Download full text (12.8 KiB)

Lintian produces 1 error and many warnings:

E: xenstore-utils-dbgsym: stripped-library usr/lib/debug/.build-id/9f/23abfbd90397d1607cc741f0480e0b224a3ce9.debug
W: xenstore-utils-dbgsym: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/9f/23abfbd90397d1607cc741f0480e0b224a3ce9.debug
W: xen-utils-4.16: debug-suffix-not-dbg usr/lib/debug/xen-syms-4.16-shim/
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/00/08d5d5e8869253f8ed4c30b9f9e46e615af7a7.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/01/1ea0ceb150958be7d97b4427d571f444d07863.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/04/0a71513854b1d82d0efec7b087654ca3d10c3f.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/12/98e697c8e09776774e9407d743c43a80667130.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/18/5cba7ba65852431abc8b322372c8c052a5d855.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/1f/406e9866999f26337962468782ea22b31d62e4.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/20/79a43f53a775f14c656cb2ff799514b2477fe2.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/20/f51fbf1ccd1e9999b79242b6d1da6bdb6972a9.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/2d/0475abb0bc8b835745b25f273705f2663ae982.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/36/5cc79d96df0cf6050aeab9c25902811e7c2528.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/41/a2d5cf07cd1ed0a82e0d19128665851fbe794c.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/47/63e11950d690ec9c7ad31689a1fa869c0a126b.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/53/45f1e6ba48b07ecc6cec20f10ad26c91be2dad.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/54/4a8db50f53f12b254119e63e56fe0f72f19f94.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/62/18c634b0ca5f88fab94bdf0d491f39c2e16edf.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/6c/abfc94e754333206bb7fed786eddc86ccec621.debug]
W: xen-utils-4.16-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.bui...

Luís Infante da Câmara (luis220413)
Changed in xen (Ubuntu):
status: In Progress → New
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

A patched source package (and binary packages for amd64) are now available in my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates.

The package fails to build on arm64 and armhf, due to patterns in *.install files that do not match any files installed by make install.

Mathew Hodson (mhodson)
Changed in xen (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

I have just created a new tarball from the stable-4.16 branch in the upstream Git repository (with 3 new commits), packaged it and uploaded the packages to my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

I have just filed a Debian bug to incorporate the unreleased commits in the stable branch into the version in testing/unstable.

summary: - Upgrade to 4.16.1 for Jammy
+ Upgrade to 4.16.1+32-g2e82446cb2 for Jammy
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in xen (Debian):
status: Unknown → Confirmed
Revision history for this message
Eduardo Barretto (ebarretto) wrote : Re: Upgrade to 4.16.1+32-g2e82446cb2 for Jammy

Hi Luis, as you mentioned in #5 you made changes, could you please upload the newer version of the debdiff?

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Updated debdiff

Luís Infante da Câmara (luis220413)
summary: - Upgrade to 4.16.1+32-g2e82446cb2 for Jammy
+ Upgrade to 4.16.1+32-g2e82446cb2 for Jammy and Kinetic
Luís Infante da Câmara (luis220413)
summary: - Upgrade to 4.16.1+32-g2e82446cb2 for Jammy and Kinetic
+ [SRU] Upgrade to 4.16.1+32-g2e82446cb2 for Jammy and Kinetic
Revision history for this message
Luís Infante da Câmara (luis220413) wrote : Re: [SRU] Upgrade to 4.16.1+32-g2e82446cb2 for Jammy and Kinetic

I am updating the patch to also fix CVE-2022-23816, CVE-2022-23825 and CVE-2022-29900.

Luís Infante da Câmara (luis220413)
summary: - [SRU] Upgrade to 4.16.1+32-g2e82446cb2 for Jammy and Kinetic
+ [SRU] Upgrade to 4.16.1+51-g0a5387a011 for Jammy and Kinetic
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Patched packages are available in my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/+packages

Revision history for this message
Alex Murray (alexmurray) wrote :

FYI I personally don't feel comfortable sponsoring this update for kinetic - instead though I would be happy to sponsor a merge of 4.16.1-1 from debian unstable to kinetic.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Alex Murray, why you do not feel comfortable sponsoring my update for Kinetic?

Meanwhile, you can merge 4.16.1-1 from Debian unstable into Kinetic.

Luís Infante da Câmara (luis220413)
Changed in xen (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Alex Murray (alexmurray) wrote :

> Alex Murray, why you do not feel comfortable sponsoring my update for Kinetic?

Basically it is quite onerous to validate a 10k debdiff to make sure it doesn't include anything untoward / unwanted etc.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

This is just an update to the tip of the stable-4.16 branch, as recommended by the upstream project. Debian routinely performs these updates to its stable releases and to unstable.

I will attach a debdiff for the version in kinetic-proposed that does the same as the previous ones.

Revision history for this message
Robie Basak (racb) wrote :

4.16.1-1 has been synced from Debian and is in Kinetic proposed, so there is nothing remaining for a sponsor to do for Kinetic. Please follow "proposed migration" to see the package arrive into the Kinetic release pocket. See https://wiki.ubuntu.com/ProposedMigration/ for details.

For Jammy, as we've already discussed your proposed patch isn't suitable for upload into Jammy as-is, if going through the SRU process. Please provide cherry-picks of specific fixes instead, or, if this is not possible or there's a justification for doing otherwise, then please provide that justification with reference to our specific policies. In the meantime, there is also nothing suitable to sponsor for Jammy, so I'm unsubscribing ~ubuntu-sponsors.

Nothing in this precludes urgent security fixes from being made, but that's up to review from the security team. I suspect that they also will require specific cherry-picks.

Changed in xen (Ubuntu):
status: In Progress → Fix Committed
Changed in xen (Ubuntu Jammy):
status: New → Incomplete
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

This update does not fix this bug (9 CVEs are not fixed), therefore I am setting the status to In Progress.

Changed in xen (Ubuntu):
status: Fix Committed → In Progress
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Fixed in version 4.16.2-1.

Changed in xen (Ubuntu):
status: In Progress → Fix Released
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
summary: - [SRU] Upgrade to 4.16.1+51-g0a5387a011 for Jammy and Kinetic
+ [SRU] Upgrade to 4.16.2 for Jammy
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote : Re: [SRU] Upgrade to 4.16.2 for Jammy

I will update my patch for Jammy in 10 minutes.

Luís Infante da Câmara (luis220413)
Changed in xen (Ubuntu Jammy):
status: Incomplete → Confirmed
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Changed in xen (Ubuntu Jammy):
status: Confirmed → New
Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

Xen almost meets the bulleted requirements at https://wiki.ubuntu.com/StableReleaseUpdates:

Xen has a testsuite at https://xenbits.xen.org/gitweb/?p=osstest.git;a=summary that assures the quality of every commit or release and can be packaged and invoked in the xen build-time test (that only invokes 2 tests in Jammy!). If we also add the tests in the xen source package to the build-time test and add an autopkgtest that runs them, Xen now meets the requirements.

However, without looking at the testsuite, I doubt that the tests are covering API/ABI stability.

Revision history for this message
Mark Esler (eslerm) wrote :

I am setting this issue to Won't Fix per @alexmurray's comment #17.

For a security update the usual method is to cherry-pick individual required security fixes. Please provide cherry-picks of specific fixes instead in separate bug reports.

Changed in xen (Ubuntu):
status: Fix Released → Won't Fix
Changed in xen (Ubuntu Jammy):
status: New → Won't Fix
Luís Infante da Câmara (luis220413)
summary: - [SRU] Upgrade to 4.16.2 for Jammy
+ [SRU] Upgrade to 4.16.2 for Jammy and Kinetic
Revision history for this message
Mark Esler (eslerm) wrote :

From Luís via email:

> Can you set the status for the bug task xen (Ubuntu) in bug 1978891 to Fix Released, because the development release already has Xen 4.16.2? I cannot do this myself.

I am not changing the status of the SRU to Fix Released. Others are welcome to.

Bug Watch Updater (bug-watch-updater)
Changed in xen (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.