On 2018-10-24 11:24:28, Antoine Beaupré wrote: > On 2018-10-23 14:03:37, Peter Dreuw wrote: >> Hello, everyone, >> >> I prepared another set of fixes based on the current Xen package on >> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549). >> >> These fixes include >> >> CVE-2017-15595 / xsa 240 >> CVE-2017-15593 / xsa 242 >> CVE-2017-15592 / xsa 243 >> CVE-2017-16693 / xsa 244 >> CVE-2017-17044 / xsa 246 >> CVE-2017-17045 / xsa 247 >> CVE-2018-10472 / xsa 258 >> CVE-2018-10981 / xsa 262 >> >> The testing packages are available here: >> >> https://share.credativ.com/~pdr/xen-test/ > > I'll be reviewing those diffs shortly, thanks!
I've given that a shot and, unfortunately, the actual contents of the patchset goes over my head, so I cannot provide useful feedback on those. When I worked on Xen/qemu before, I was content to just adapt the upstream patches without auditing the fix itself, for what it's worth. So I have reviewed the patches in that context and they generally seem to reflect upstreams' intention, for what that's worth. The only issues I could find were whitespace and shouldn't affect functionality. (In XSA-240 [20c8d60a5c], a comment block present in the upstream patch [0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch] is missing. Purely cosmetic. Whitespace noise is introduced in 49721ad27a which might make future merges needlessly harder. There's a similar issue in XSA-247 [06d16d9c].) Again, that's assuming that upstream patchsets backport logically into 4.4. Many XSAs have 4.5 patches (or in some cases 4.6) so it's not that big of a leap. Thanks for the hard work! A.
