Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package xen for openSUSE:Factory checked in
at 2024-07-18 19:15:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xen (Old)
and /work/SRC/openSUSE:Factory/.xen.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen"
Thu Jul 18 19:15:19 2024 rev:347 rq:1187952 version:4.18.2_06
Changes:
--------
--- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-06-25 23:07:01.473315130
+0200
+++ /work/SRC/openSUSE:Factory/.xen.new.17339/xen.changes 2024-07-18
19:15:24.500892690 +0200
@@ -1,0 +2,7 @@
+Wed Jul 3 12:41:39 MDT 2024 - carn...@suse.com
+
+- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
+ guest IRQ handling (XSA-458)
+ xsa458.patch
+
+-------------------------------------------------------------------
@@ -21,0 +29,13 @@
+
+-------------------------------------------------------------------
+Wed Jun 12 12:03:14 UTC 2024 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Fix python3 shebang in tools package (bsc#1212476)
+- Depend directly on %primary_python instead of python3 so this
+ package will continue working without rebuilding even if python3
+ changes in the system.
+- Remove not needed patches, these patches adds the python3 shebang to
+ some scripts, but that's done during the build phase so it's not
+ needed:
+ - bin-python3-conversion.patch
+ - migration-python3-conversion.patch
Old:
----
bin-python3-conversion.patch
migration-python3-conversion.patch
New:
----
xsa458.patch
BETA DEBUG BEGIN:
Old: needed:
- bin-python3-conversion.patch
- migration-python3-conversion.patch
Old: - bin-python3-conversion.patch
- migration-python3-conversion.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New: guest IRQ handling (XSA-458)
xsa458.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xen.spec ++++++
--- /var/tmp/diff_new_pack.mQey2Y/_old 2024-07-18 19:15:26.836985227 +0200
+++ /var/tmp/diff_new_pack.mQey2Y/_new 2024-07-18 19:15:26.840985385 +0200
@@ -26,6 +26,8 @@
# Keep it at the original location (/usr/lib) for backward compatibility
%define _libexecdir /usr/lib
+%{?!primary_python:%define primary_python python3}
+
Name: xen
ExclusiveArch: %ix86 x86_64 aarch64
%define xen_build_dir xen-4.18.2-testing
@@ -117,6 +119,7 @@
%ifarch x86_64
BuildRequires: pesign-obs-integration
%endif
+BuildRequires: python-rpm-macros
Provides: installhint(reboot-needed)
Version: 4.18.2_06
@@ -180,6 +183,7 @@
Patch24: 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch
Patch25:
6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch
# EMBARGOED security fixes
+Patch100: xsa458.patch
# libxc
Patch301: libxc-bitmap-long.patch
Patch302: libxc-sr-xl-migration-debug.patch
@@ -241,8 +245,6 @@
Patch467: libxl.LIBXL_HOTPLUG_TIMEOUT.patch
# python3 conversion patches
Patch500: build-python3-conversion.patch
-Patch501: migration-python3-conversion.patch
-Patch502: bin-python3-conversion.patch
# Hypervisor and PV driver Patches
Patch600: xen.bug1026236.suse_vtsc_tolerance.patch
Patch601: x86-ioapic-ack-default.patch
@@ -306,8 +308,8 @@
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
Recommends: multipath-tools
-Requires: python3
-Requires: python3-curses
+Requires: %{primary_python}
+Requires: %{primary_python}-curses
%ifarch %{ix86} x86_64
Requires: qemu-seabios
%endif
@@ -499,7 +501,7 @@
sed -i~ 's/ XENSTORETYPE=domain$/ XENSTORETYPE=daemon/'
tools/hotplug/Linux/launch-xenstore.in
configure_flags="${configure_flags} --disable-stubdom"
%endif
-export PYTHON="/usr/bin/python3"
+export PYTHON=$(realpath /usr/bin/python3)
configure_flags="${configure_flags} --disable-qemu-traditional"
./configure \
--disable-xen \
@@ -833,6 +835,7 @@
# Xen utilities
install -m755 %SOURCE36 %{buildroot}/usr/sbin/xen2libvirt
install -m755 %SOURCE10183 %{buildroot}/usr/sbin/xen_maskcalc
+%python3_fix_shebang
rm -f %{buildroot}/etc/xen/README*
# Example config
++++++ xsa458.patch ++++++
From: Jan Beulich <jbeul...@suse.com>
Subject: x86/IRQ: avoid double unlock in map_domain_pirq()
Forever since its introduction the main loop in the function dealing
with multi-vector MSI had error exit points ("break") with different
properties: In one case no IRQ descriptor lock is being held.
Nevertheless the subsequent error cleanup path assumed such a lock would
uniformly need releasing. Identify the case by setting "desc" to NULL,
thus allowing the unlock to be skipped as necessary.
This is CVE-2024-31143 / XSA-458.
Coverity ID: 1605298
Fixes: d1b6d0a02489 ("x86: enable multi-vector MSI")
Signed-off-by: Jan Beulich <jbeul...@suse.com>
Reviewed-by: Roger Pau Monné <roger....@citrix.com>
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2286,6 +2286,7 @@ int map_domain_pirq(
set_domain_irq_pirq(d, irq, info);
spin_unlock_irqrestore(&desc->lock, flags);
+ desc = NULL;
info = NULL;
irq = create_irq(NUMA_NO_NODE, true);
@@ -2321,7 +2322,9 @@ int map_domain_pirq(
if ( ret )
{
- spin_unlock_irqrestore(&desc->lock, flags);
+ if ( desc )
+ spin_unlock_irqrestore(&desc->lock, flags);
+
pci_disable_msi(msi_desc);
if ( nr )
{
