-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-58146 / XSA-474 version 2 XAPI UTF-8 string handling UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI uses libraries which conform to the stricter v3.1 of the Unicode spec. This causes some strings to be accepted as valid UTF-8 by XAPI, but rejected by other libraries in use. Notably, such strings can be entered into the database, after which the database can no longer be loaded. 3. There is no input sanitisation for Map/Set updates on objects in the XAPI database. IMPACT ====== Buggy or malicious inputs to XAPI can cause a Denial of Service. VULNERABLE SYSTEMS ================== All versions of XAPI are believed to be vulnerable. Issues 1 and 2 can be leveraged by guest administrator. Issue 3 can only be leveraged by an authenticated API user. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Edwin Török from XenServer. RESOLUTION ========== An updated XAPI, built with the attached patch, needs to be deployed to resolve the issue. If XAPI restarts correctly, no further action is necessary. If bad strings have been entered into the database, XAPI will get into a restart loop, citing: [error||0 ||backtrace] Xapi.watchdog failed with exception Xmlm.Error(999:42777, "malformed character stream") in /var/log/xensource.log roughly every 4 seconds. To resolve this, the bad characters need stripping manually from the database. In dom0, something along the lines of: cd /var/xapi service xapi stop cp state.db state.bak iconv -f UTF-8 -t UTF-8//IGNORE < state.db > state.$$ mv state.$$ state.db service xapi start xsa474.patch XAPI master $ sha256sum xsa474* e3c7ce7522252b25710062f1c761b5f1e319dab2129fc7c1d9fd6440f9331a9f xsa474.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmjAFVEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZCBUIAKiQgLyn/B876QeNwBbHk30wylE9ep1okFBuGhBa zhpwNJrJeqnzEfw3ma3v+gDiy/qNp6AKhg8U1GGmF9WyJ4I3c3oA/ATfkN5Kms/W NQnisqExSgo/d8SK0udyk7BCtI0Z+jYxdmnLcPyJgCHOJflZ2CCIpsz6VVvQqq0Y bSgylgrhhQa8+yQ9xWOQHeEzle89JR4JLTRCUzg4AyTUuxaiHGP8zRj9uwgdwkJZ nou+4dQxzE3YhzPjz15j+l9JY8zVUsyzMjsXC0W1EnXuzYGJxuiy8oqaMaqlx7+e hO6fU1iy9ZkIgXPqhAMLlexLkR47Bgw1HLFh4f2XdyqSnBw= =Zist -----END PGP SIGNATURE-----