Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2025-58146 / XSA-474
                               version 2

                      XAPI UTF-8 string handling

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

There are multiple issues.

 1. Updates to the XAPI database sanitise input strings, but try
    generating the notification using the unsanitised input.  This
    causes the database's event thread to terminate and cease further
    processing.

 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
    uses libraries which conform to the stricter v3.1 of the Unicode
    spec.  This causes some strings to be accepted as valid UTF-8 by
    XAPI, but rejected by other libraries in use.  Notably, such strings
    can be entered into the database, after which the database can no
    longer be loaded.

 3. There is no input sanitisation for Map/Set updates on objects in the
    XAPI database.

IMPACT
======

Buggy or malicious inputs to XAPI can cause a Denial of Service.

VULNERABLE SYSTEMS
==================

All versions of XAPI are believed to be vulnerable.

Issues 1 and 2 can be leveraged by guest administrator.

Issue 3 can only be leveraged by an authenticated API user.

MITIGATION
==========

There are no mitigations.

CREDITS
=======

This issue was discovered by Edwin Török from XenServer.

RESOLUTION
==========

An updated XAPI, built with the attached patch, needs to be deployed to
resolve the issue.  If XAPI restarts correctly, no further action is
necessary.

If bad strings have been entered into the database, XAPI will get into a
restart loop, citing:

  [error||0 ||backtrace] Xapi.watchdog failed with exception Xmlm.Error(999:42777, "malformed character stream")

in /var/log/xensource.log roughly every 4 seconds.

To resolve this, the bad characters need stripping manually from the
database.  In dom0, something along the lines of:

  cd /var/xapi
  service xapi stop
  cp state.db state.bak
  iconv -f UTF-8 -t UTF-8//IGNORE < state.db > state.$$
  mv state.$$ state.db
  service xapi start

xsa474.patch           XAPI master

$ sha256sum xsa474*
e3c7ce7522252b25710062f1c761b5f1e319dab2129fc7c1d9fd6440f9331a9f  xsa474.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmjAFVEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZCBUIAKiQgLyn/B876QeNwBbHk30wylE9ep1okFBuGhBa
zhpwNJrJeqnzEfw3ma3v+gDiy/qNp6AKhg8U1GGmF9WyJ4I3c3oA/ATfkN5Kms/W
NQnisqExSgo/d8SK0udyk7BCtI0Z+jYxdmnLcPyJgCHOJflZ2CCIpsz6VVvQqq0Y
bSgylgrhhQa8+yQ9xWOQHeEzle89JR4JLTRCUzg4AyTUuxaiHGP8zRj9uwgdwkJZ
nou+4dQxzE3YhzPjz15j+l9JY8zVUsyzMjsXC0W1EnXuzYGJxuiy8oqaMaqlx7+e
hO6fU1iy9ZkIgXPqhAMLlexLkR47Bgw1HLFh4f2XdyqSnBw=
=Zist
-----END PGP SIGNATURE-----