Your message dated Sat, 20 Dec 2025 11:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1120075: fixed in xen 4.20.2+7-g1badcf5035-0+deb13u1
has caused the Debian Bug report #1120075,
regarding xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120075
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xen
Version: 4.20.0+68-g35cb38b222-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for xen.
CVE-2025-27465[0]:
| Certain instructions need intercepting and emulating by Xen. In
| some cases Xen emulates the instruction by replaying it, using an
| executable stub. Some instructions may raise an exception, which is
| supposed to be handled gracefully. Certain replayed instructions
| have additional logic to set up and recover the changes to the
| arithmetic flags. For replayed instructions where the flags
| recovery logic is used, the metadata for exception handling was
| incorrect, preventing Xen from handling the the exception
| gracefully, treating it as fatal instead.
CVE-2025-27466[1]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58142[2]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58143[3]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58144[4]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling. A NULL pointer de-reference could result
| on a release build. This is CVE-2025-58144. And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed). Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated. This is CVE-2025-58145.
CVE-2025-58145[5]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling. A NULL pointer de-reference could result
| on a release build. This is CVE-2025-58144. And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed). Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated. This is CVE-2025-58145.
CVE-2025-58147[6]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats. Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs. * CVE-2025-58147. Hypercalls using the
| HV_VP_SET Sparse format can cause vpmask_set() to write out of
| bounds when converting the bitmap to Xen's format. *
| CVE-2025-58148. Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.
CVE-2025-58148[7]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats. Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs. * CVE-2025-58147. Hypercalls using the
| HV_VP_SET Sparse format can cause vpmask_set() to write out of
| bounds when converting the bitmap to Xen's format. *
| CVE-2025-58148. Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.
CVE-2025-58149[8]:
| When passing through PCI devices, the detach logic in libxl won't
| remove access permissions to any 64bit memory BARs the device might
| have. As a result a domain can still have access any 64bit memory
| BAR when such device is no longer assigned to the domain. For PV
| domains the permission leak allows the domain itself to map the
| memory in the page-tables. For HVM it would require a compromised
| device model or stubdomain to map the leaked memory into the HVM
| domain p2m.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27465
https://www.cve.org/CVERecord?id=CVE-2025-27465
[1] https://security-tracker.debian.org/tracker/CVE-2025-27466
https://www.cve.org/CVERecord?id=CVE-2025-27466
[2] https://security-tracker.debian.org/tracker/CVE-2025-58142
https://www.cve.org/CVERecord?id=CVE-2025-58142
[3] https://security-tracker.debian.org/tracker/CVE-2025-58143
https://www.cve.org/CVERecord?id=CVE-2025-58143
[4] https://security-tracker.debian.org/tracker/CVE-2025-58144
https://www.cve.org/CVERecord?id=CVE-2025-58144
[5] https://security-tracker.debian.org/tracker/CVE-2025-58145
https://www.cve.org/CVERecord?id=CVE-2025-58145
[6] https://security-tracker.debian.org/tracker/CVE-2025-58147
https://www.cve.org/CVERecord?id=CVE-2025-58147
[7] https://security-tracker.debian.org/tracker/CVE-2025-58148
https://www.cve.org/CVERecord?id=CVE-2025-58148
[8] https://security-tracker.debian.org/tracker/CVE-2025-58149
https://www.cve.org/CVERecord?id=CVE-2025-58149
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xen
Source-Version: 4.20.2+7-g1badcf5035-0+deb13u1
Done: Maximilian Engelhardt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximilian Engelhardt <[email protected]> (supplier of updated xen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Nov 2025 16:57:07 +0100
Source: xen
Architecture: source
Version: 4.20.2+7-g1badcf5035-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Xen Team <[email protected]>
Changed-By: Maximilian Engelhardt <[email protected]>
Closes: 1105193 1120075
Changes:
xen (4.20.2+7-g1badcf5035-0+deb13u1) trixie-security; urgency=medium
.
Significant changes:
* Update to new upstream version 4.20.2+7-g1badcf5035, which also contains
security fixes for the following issues:
(Closes: #1105193) (Closes: #1120075)
- x86: Indirect Target Selection
XSA-469 CVE-2024-28956
- x86: Incorrect stubs exception handling for flags recovery
XSA-470 CVE-2025-27465
- x86: Transitive Scheduler Attacks
XSA-471 CVE-2024-36350 CVE-2024-36357
- Multiple vulnerabilities in the Viridian interface
XSA-472 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
- Arm issues with page refcounting
XSA-473 CVE-2025-58144 CVE-2025-58145
- x86: Incorrect input sanitisation in Viridian hypercalls
XSA-475 CVE-2025-58147 CVE-2025-58148
- Incorrect removal of permissions on PCI device unplug
XSA-476 CVE-2025-58149
* Note that the following XSA are not listed, because...
- XSA-468 applies to Windows PV drivers
- XSA-474 applies to XAPI which is not included in Debian
.
Packaging minor fixes and improvements:
* debian/salsa-ci.yml: adjust for trixie and new salsa-ci pipeline
Checksums-Sha1:
17554dec0ff099ceac4041ad7e001a29c09f543c 4047
xen_4.20.2+7-g1badcf5035-0+deb13u1.dsc
24bd3f07ebb7c56981501afc2375370c5d571222 4953752
xen_4.20.2+7-g1badcf5035.orig.tar.xz
cfe93818e61d4abb4c3182bc191752437c3514dc 138828
xen_4.20.2+7-g1badcf5035-0+deb13u1.debian.tar.xz
Checksums-Sha256:
09ef5bf1580062cd1062ca29bd552cb0211fd2ef0f43014dac5e08e2bd98fbb6 4047
xen_4.20.2+7-g1badcf5035-0+deb13u1.dsc
8476bb9e37fd8f7d7a0e465d43767697258120b1362575110a9c377aca026483 4953752
xen_4.20.2+7-g1badcf5035.orig.tar.xz
3c5800f5e0a4ff94eb0ced70d82b18cfc7cd3c6eaa2c5a27fc6cdfd1b514e5c5 138828
xen_4.20.2+7-g1badcf5035-0+deb13u1.debian.tar.xz
Files:
49e94e2c83385560291daa245f0af047 4047 admin optional
xen_4.20.2+7-g1badcf5035-0+deb13u1.dsc
d6ff179cc60c91c5bd2fbf5f04b0012f 4953752 admin optional
xen_4.20.2+7-g1badcf5035.orig.tar.xz
609b59eb39922a2f3a73119d5b0218ea 138828 admin optional
xen_4.20.2+7-g1badcf5035-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmku1SIACgkQEMKTtsN8
TjYlCQ/7BGqomQ63yd8vBYyV8wtnYkjint6vMiAAvfLPiPmOmEVYI/Ffi/2nD90v
n8OZ00Ezpd5lj3WfjTryNe1xrsI4prdCw79E9WrEFjJ9nrQ2n8AGtYyHd2dNg9Dh
TdM/u8xqg8gipYbgbvMvnKghyhZaGdFNtu/qyjys9BwpETg2Gl4VI7FilzfC2ASW
2VqmtKfyvTH1BxUtW68CWs8pjso/VwQR3DKopcCp0caDK4J8fGdX45Kpi8hNMSP0
yqM/fbeY+N+rMSSVXFRli4MWvm5DapzOg2GIBenHhfQyjw5Y73DrCpMj3sfvMnBT
BUC8VdlBNCamreOxtWH0n9KIKYU3MLgN8rJ9Pcg9M25ZRgSLXBlU5caCZhd4h8sS
iNeujrtzvu1ZtP7eeK+u0BE7h0Fn/MUxwP6P9h2VsW7lEH+rL3v62xiYCIqWbW6i
jEajrHgIghufppSnLCIf5Lc5O8z/V35tZonEUpSy25nxYOtfiy4h1Oz13R24nPtS
+Xbminl5nbSpIlIBO1KHkzGnUFm+bXivZpnAP2Y0WVnURgAfnNeT7OtZoYMOlWcq
ayyK/CpwGfwF7Y7RbzyrzDYs5aClnazIA5H8meDMo0YpsLLzgu1vZ4PNaikL931L
Fm0w/caz6feF/l6mhwEhlxM1bm6LEFl+2Ur5H4VJ+74b4iUMNlI=
=nChq
-----END PGP SIGNATURE-----
pgpm7d9N8jFWe.pgp
Description: PGP signature
--- End Message ---
