fix security bugs #499054, #499124

Package-Manager: portage-2.2.8/cvs/Linux x86_64
Manifest-Sign-Key: 0xAABEFD55

7 files changed, 379 insertions, 15 deletions

diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog
index 4db995ae9fd1..6c36f02438d2 100644
--- a/app-emulation/xen/ChangeLog
+++ b/app-emulation/xen/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-emulation/xen
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.143 2014/01/17 02:44:09 dlan Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.144 2014/01/24 15:25:38 dlan Exp $
+
+*xen-4.3.1-r4 (24 Jan 2014)
+*xen-4.2.2-r3 (24 Jan 2014)
+
+  24 Jan 2014; Yixun Lan <dlan@gentoo.org> +xen-4.2.2-r3.ebuild,
+  +xen-4.3.1-r4.ebuild, +files/xen-4-XSA-83.patch, +files/xen-4.2-XSA-87.patch,
+  +files/xen-4.3-XSA-87.patch:
+  fix security bugs #499054, #499124
 
 *xen-4.2.2-r2 (17 Jan 2014)
 
diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index 007bec511ef7..fc6a60190d08 100644
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -8,13 +8,16 @@ AUX xen-4-CVE-2013-1918-XSA-45_4.patch 5813 SHA256 6eaefb1987f1ccf891cd68c03e996
 AUX xen-4-CVE-2013-1918-XSA-45_5.patch 6257 SHA256 406e3bd7147fea805bdf6f201bc17322cd2cd662ede094b1a039ba71b095bb3e SHA512 976e5f72380921e89feb16c5aa5209a56a4b61f76676bca9ed15d7af787df5901a77f35e5d3506087ff9be259170636872218b7a755add938bb8b36b0a976203 WHIRLPOOL 71e3df3b62c6a007aebc3a0c732653bee22ecda4cb3cc6ff041a4db2de9ff16cbb8648389f645846d29cb6405c54e6f85db5334624ef764c925482a74a276179
 AUX xen-4-CVE-2013-1918-XSA-45_6.patch 4291 SHA256 6e4344e3dcb544537bbef869a34cff38a4611cddc34d18469633d3b3d35db78b SHA512 a2da3415c07c77b8c38d52bc32b04ced955f272f4294572375ba16465aaed8a4a66ea0dd8034ef67e1f6e293b82f58988ec306908b7df6a86ee1c52890f47ca4 WHIRLPOOL 12c736899b40f7cad75fac5ab575b759160dcc0bf1ba9ca766c50258072bf20324f3663f60e3c7ed75323fdb91fab12390373d749d451ee68cfe72bb2ca70a93
 AUX xen-4-CVE-2013-1918-XSA-45_7.patch 8129 SHA256 7fca1b6025d6ac1a444333b2fe1381af093ca601ac8045f68a29c2a83d520e48 SHA512 7f8fab52ca4aa361729eeb21f977fe1237f6b94b8f35e5d37ea783c60d7053da9a975af20c07c2cd1d21d52880121a5ea83ed0abd3ec2a38a75caee797489096 WHIRLPOOL 567cfd129d6347c95cd08d296053d043430b0c2ff157991a899b205c68b421614d4a8829eed8ff2748fb107b485db11b5d04599cd2a4c4bd5e225fe9821919a4
+AUX xen-4-XSA-83.patch 598 SHA256 71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1 SHA512 8ca0f9e896da10ad32b93e7dfa908550180912b0f1eeb8be214f54fb6cc6c7a925df26db6521a37430e5e66c31e3eafb8a7169ff92097adaff7227cb95759c14 WHIRLPOOL b7369455f0dbcb37c3a3b7afe8de1e47e3303ead0a37c7e2ae13c5ebd66031bbfca21b6f4fb8a1191e32ef17a5fe74564c93ec7861f4a8d7dbc815fecfb6e068
 AUX xen-4-fix_dotconfig-gcc.patch 1525 SHA256 943119cde08d16d05a927a85fb54ee4cee323cb4870dd0d90a552051fedc9907 SHA512 aa507594d96159c4e01ccfc4781f9afe7b6fe125c9df5925128c002f28fdf04999954b523cc53c6d7eaa49cb6e05120605f4e7d6f8bab6d5718d73a60b5accea WHIRLPOOL 6f4395203199b8037363ed56256e12f426f0c26f449c5e4a001c5454370a0e412f18cd03099866c30592ee0413556b85b3c374efb7172212db37ff3891c004af
 AUX xen-4.2-2013-2076-XSA-52to54.patch 5214 SHA256 47c6609b32e6cebb73070a8b5767dc3bf44f2a73c8a5a1bfe41bbc9ac86981c1 SHA512 9f1a7fec53bf2d07667f0cb9a209cf3013e75b2881c5cae78ec5c3584994bb674034c77b9acbf5947c9d798276d50f2a5c09683afcae27741227abfb819e5ca9 WHIRLPOOL 53a62257456f8cdf8363dfafec0321c02547d04d1e084dc9c57307afc152765f3ec20de3cdc74e62eda88932e6e1ae647c8d3820f9214d2630aba6d7c22d9416
 AUX xen-4.2-CVE-2013-1432-XSA-58.patch 4630 SHA256 974d6495089b0168ff528d89009ddb5856dbeab5a2b366a412a58d8de574377c SHA512 d082d96adf31bf2507e96425081baeeb5ed7b639e4c41c295ec7e7d7a7617214883999a81890add93c7c833665ed1e3aa8fbce63b14260c00ddb41ffd37d00c4 WHIRLPOOL e2c744548500fe481094aad40c16c85477edef17610ac15849ee0a70c9577802000b31b7353b71b91434818477c20f2835a7072f73e5c5c98a12112e87c3aa59
 AUX xen-4.2-CVE-2013-4553-XSA-74.patch 1499 SHA256 0f7d0bbfbd7f3f1b6f6005321fa45081524dad438587f691e6892cc393327f89 SHA512 cbcc6e8dd5cb9b1b699e5acd17ece100739e37d3c752f54320fda4526a79bd8280e24a1c7bd6fec32756d3602b5efdcdf274f9608b9850bbd0afe324c9152be1 WHIRLPOOL 5a4b34c7ebedb0f6e2114cfaddafa38cd160d43f9e0037387871c013ec9574d9a9c4541027e64f8cfb90a370879a7f7553bc5813f7252179fe065236aec80fda
+AUX xen-4.2-XSA-87.patch 616 SHA256 df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d SHA512 819afdaefbf9d9033df6ffb0b0bc2e556e583fe64152f280d7cb9a7e4735239eb90eaec0b1d3a798ccb2c8f72c23ef4e8e04eb8ff5892be1e8128094370e0427 WHIRLPOOL b797fdb7844da641913414815716173c0d60e48b4304df5231ad5958c1d1690fbe04ea45158e380afbc2767303649551ff0dbec03142a8d95bdab5da60320dc4
 AUX xen-4.2-efi.patch 2216 SHA256 0886961e2656fe7e140dd0ac0e6620d4c14ef0796b8f8889bda163e2a9f8db8b SHA512 ecaa4f1f1c3ca737931fe5343529708dfb7ec7040dbf2acf2b155e7c7f019ce3e2630ddb302213570a2647fe220dbf23eb6c28618d6b1be9161e25fcadd71cb4 WHIRLPOOL 63b56e22683b2755ae17e7871c1b535d750f655ff8c003979d039654f5ef3303457b5d4469f216c1744202d4d1f4561f7498c1d93171ab1110a93e3a2fa8db8d
 AUX xen-4.3-CVE-2013-4553-XSA-74.patch 1389 SHA256 b505cdba662b1b1cd91d5611fac998c6b4e89e366780c6b9864b6965075afb38 SHA512 fc0c1a1777a751096bc5990eee04e754deed2f18b8c8a5d65bf19c71ba9788599369f51e2d518f613e8cea8cb0d2d22ad60cec4d1b8805d7bd8e0818a54afb2b WHIRLPOOL e324f4922f61a22840ac0268fe2643a0fe496409d12a5797d7ba057ecd4982f8a9224e20615721c34680d45145d3933090ca1a11644cd2ca8f312995c3cba96f
 AUX xen-4.3-CVE-2013-6375-XSA-75.patch 1748 SHA256 039a74a4ccd1f17a5fd5341d160af87b14875dc1b2e46d8e4d337581031228d8 SHA512 195d147643b626ab9265d83ba2d7fbdef7b5716533682b723f32cbbbde6089fafb49e11c68ba6d323bb120fb0d34d85caf5ec5759048f60ba9096e479729c32b WHIRLPOOL eb52b7334ead997fea54810498be22bf47bcd2230a2ea2552b6125f3f78b5f9f9df49a7625c43ed700b3e56c6ea8979171e6be2e6d54d53c706517fc901d4702
+AUX xen-4.3-XSA-87.patch 916 SHA256 a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 SHA512 a1ad45f8311787ac0e1ed1a186f9c4e9aea924398ec7bbbc5b1e4b2d3b4617e113b385ff2aee854458270b0d73ed11defac5dfe603b1fd7b97f4c951def559b3 WHIRLPOOL b3a36c01d4e0bca3c5df42488f9bfc91e756af8c899d7414b81b7dac2bb60733555321b607ed229817ac546ebce65fddce0f8781909d7021d19b44a931fb85bf
 AUX xen-4.3-fix_dotconfig-gcc.patch 8854 SHA256 4e0d22acdb4ecc4a1d418ec91bc6ddb9ef1c283ee3ca1f67bac85d3116d76ccc SHA512 b4c969b0cf166862ea5c5cb0912d7dae8c5bf7befd6dd6bdf4e56df8a4daf85c0a36c94247053f74edc0f24b1c15a18e7ddae9d24ad28d54b726a1fbbab442be WHIRLPOOL de7b614ae486fd2cc591b405b475745b003c638c9be4c8153b61a368802af36d2a2974d1e022eb14fb58ad9260f9f82c438c84cb65c3499076c579f7e1c3e6ad
 AUX xen-CVE-2013-1442-XSA-62.patch 1350 SHA256 364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 SHA512 4738a229a6f18d670da07b3acbaf6e227af5fb3e7b0b414dc98671be02208aefc66ebe07f7396d9158d0fa15993b9d418fd65747880c64694b1a06b8be961419 WHIRLPOOL 758aed345d0c5792a5d5a53200ef5094e662be507823010bb7dcfcccd07bc38b897d67295abf2d5d5b3f1b93efc9c684af78da6e3e3d77ecb65ef69fe2f5fa6d
 AUX xen-CVE-2013-4355-XSA-63.patch 5872 SHA256 32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 SHA512 f972de0910dff2109fc18911eeaf789963ec457d2a21029abc9615088d2c8446028effec6c1c01e080ae3479e704175e19040c09053c8ad60c0b38c7d2ec3859 WHIRLPOOL 186fcc663d6025164fc38d9aa5faf2272aaf6d3a7f2f8ba831fac28e672958776ae80cf3e92a9d6c99230bc80c6a4c83d5fa313225d4ba5594e06e1ad55e732f
@@ -32,27 +35,29 @@ DIST xen-4.3.0.tar.gz 16425975 SHA256 e1e9faabe4886e2227aacdbde74410653b233d6664
 DIST xen-4.3.1.tar.gz 16429423 SHA256 3b5b7cc508b1739753585b5c25635471cdcef680e8770a78bf6ef9333d26a9fd SHA512 f5250ad5ad3defc5dc1207eb6208a3928128ef57ac4162018bd92b750dc1df1eaaf37835528aca33a0f9e04c82d5f8c4ba79c03a1780d2b72cbb90cc26f77275 WHIRLPOOL 087390786cea9aee273a5d81988436303991aa5ea92faf111d3b619517368f8c8feef84f4f8c602cac723980a344eb90414887db4ca88a2ee14bc6b0253e36ca
 EBUILD xen-4.2.2-r1.ebuild 3756 SHA256 2ad7f2faed080ea2e4d991d7dd902826059e4a22b444e2f1b74b5bc1e54d50a2 SHA512 c6041bf852ffa425d93134e9c08334c71e96dc9cb795c8bc7a5eb485fa46d55f5de61ff9db55d484cbe0b641d9e850e4eb7c0eefd1b021ed21a050e1e78c4177 WHIRLPOOL 86e7873cc84b01064c1e7cd46003a43104257a3f7330a1433d85ce841b658a0a35e18f9284b8520a497b408d4b5ab6ce76cb1af67fb42019b86517f4b51f2d61
 EBUILD xen-4.2.2-r2.ebuild 3960 SHA256 900f4103020bbf8acfd4ba57b08fbfad9ee0e4b51b57a5d156a682e04f9eb966 SHA512 60c0a8db14912f268d006683fade7f4585adeae12f47acdc88229f1fb0e28857568ba8f3e73788cf93e46699ebb14d4ba1c9e8769f3ed0940e5757ab5b1d2187 WHIRLPOOL aaaca7e59461f2e453f726fed75c5f4fd86a21d8007c57ee34bf6d5a8d7069a39cb2761d5ed275bdce78d3a06d7d1436990673ebc99aa00bfe0f61ea77435378
+EBUILD xen-4.2.2-r3.ebuild 4069 SHA256 d1f43bd402e14a42fa082804d9c7aa0644f77999b2ec11bae346cd066f652571 SHA512 44d4fd1df859e5ac8ab88b3312417e097ad16c72716d80c121ea98a2cfe257a5a96a42a31dbd23b06912528cb4ff438028e4c6031c7a200d8f45f11fc270c7a5 WHIRLPOOL 0f99b062996ce66959dfbda005bcadb58bda37fe7ce3f99363e2612c3afa26a8f2cc5c7d695ffd6868ff6b28e40e1a219c0576418b53b1db13e76ad78efe9785
 EBUILD xen-4.3.0-r5.ebuild 4001 SHA256 c130508a98be094896e5591cd08f8c0d4e10e066d8f01ecd92c5f11a9d60d596 SHA512 fe286cf3a450cbfb6ffaff98c1b90058a3b87b38ca4b3d7c891694268d7def9c04a387b3887ee25890f6cd550cddf969b1190bb709b4edb5663ed5b605d85790 WHIRLPOOL 58ddb50537f7fe41b91d37d7524793b7ef8f96964519227497cdf2e91035adfde1c46da2dc382b10c3bcb928cce88c5cf4f706820f56e15cd54091de97a6ef7d
 EBUILD xen-4.3.0-r6.ebuild 4185 SHA256 a1ecb708f9ad25c1dbc14b6451dbd59ba044cafb3f5c82404edcaa8b4fae5e84 SHA512 c8c84ed4845beab38980438708142f4b66100550bf475a812bbf7f35e504bd0a955da0502b08068e178cabfbc12c52e9029a764af1bfea6e9ea881cda5b97909 WHIRLPOOL a1584811e7d98d015178cc9697478d1e01f9e0996a8437f8c923be4e7f330bf2d4f148eab79290fdf7073c65678ae07f0607440e8973b326cc7300c1838bd121
 EBUILD xen-4.3.1-r1.ebuild 3901 SHA256 a94af83d0bb8ffcebd66223309818da75c60507ae2c9e803eac7488fd3970de9 SHA512 12ea99f6475d9c40c00b3aae81ba620a28fd65f72e93c93c5cd516e61966a6fc3d7a5b17919cb2704e08c9ff354b9d7fa610c461ff71ec99e11eed82ad7735f5 WHIRLPOOL 0c8ba609acb43bdc3df00b1298519b1bbabb941f032f43a6b386b5570da83767d929fbd1ef07e2b5a80b538544fcd2ec1cd0807f4f58840b6f7d7e25205fafc4
 EBUILD xen-4.3.1-r2.ebuild 3739 SHA256 69853f082f0d8149305f336f5d41680c2fa570290e0f57e6cf6b6f6b1a4c0418 SHA512 9bb7d8f5424ebcbe20817b995be3114340105b482319790d3acbb2b4791ebfc8cd5b954ae0ff7b2d463568749c4fc8dca741e9568d0f719c4ac968c23c26834d WHIRLPOOL 9ffd980cc54a397eb21416a20d640b5970cbd94cd271d1452024471abf50e0bca18c478de478a70a675ed00c192139cc6a36a2524ef2b7cc0da49d97e2149016
 EBUILD xen-4.3.1-r3.ebuild 3939 SHA256 aeed29b4535b7fc250b61d5fd9943646016326ece0bc1d16563ffc08f7e7aab7 SHA512 53e832cc8a5bd3702ec358b4ad3d24f0715a3237c91828ab66f149000890655cf8dff24c715adccb23d6ce1de5a6d587443e707d1f98408c7c6d643de11f4a2c WHIRLPOOL d65b7f5dd3035cd3ba2b32abfea28888226832b63acd9c49a81ce0ce90ea8d554e6e5b361cca54119a27d110287158e3c00a4799873115a0ae04c88bd6a2c8ec
-MISC ChangeLog 26285 SHA256 64af3f056c39b6e45e45d4f3111e24abaef2765919372284f5b4fdf34f16b01b SHA512 567ebbf90df80ced85bf72e49ef75fb9addc25b7ee7f3b736e91b87347f52fa4f7a0bb3ee6102ee69c5e3da1e50a6348249be210f54121728620aa5242a66726 WHIRLPOOL 05d40bd96d17706ca17785376750209d83e0ae93cd7b38630cc38f54e25285453d022664a0c6e52c63f68744e7cd61383964af76a6f93b9bf3dbe733c2a00657
+EBUILD xen-4.3.1-r4.ebuild 4043 SHA256 3bfdc26ab446d9fcef07f19135b15ea251dcc6e07f86dcf21adb7c8df606fc0b SHA512 d4c7c35268f6f69eeef12445dd96d5fe67fe5a3d6e67a8199d6b52e2e84da02a6b245f7d2b4262e8e50d0f63d30040a26b685e1c1c7348dbfb5e4cb4f6774568 WHIRLPOOL b59b698829b6572cedef7cb4527e2e99afa3b61b680147f8534970b9a8045fd0371847d73a5fabeca43d0b60593a797d34d4f794e6794412855f2764137eda98
+MISC ChangeLog 26556 SHA256 a4cdac09a00540edc9730dea610da276c24a32f29e7ec1ed0d4dedb71a04a0c6 SHA512 d04bc5fd7a9eaeaaefa187bfac796274379aeaa7d97390c2f9622c14576623eab234aa91bd7a79f11958cc8a6002465fec9576e3783f7f92f3f7fce7a5c5372d WHIRLPOOL 506b8d6468021e0efdfc1a9b4077534f7e21e013154dc19cb34e8d530bb5e1fac90dcd029155bab021a372ce7a542a5e32241ec6e336db6bc3ee03ebbf662977
 MISC metadata.xml 572 SHA256 0f510aa5a7261b30e5eff6961fa9dd95b19db63e0eea93cfad1d47460318ba07 SHA512 8bbca8d353aa3b556783bddd4822b97c0372b169edb89ff2907a00895e014ff9dba9e8efccf04f45de8a69ce63849505455e9735c224700d1ebf93aa3f097ac5 WHIRLPOOL 1f5517720776198868cf5a0165b9daf2ee48187bde4ad4d86533c65898da608bde779289df7ef83eaf076e0ce284607fc21f61fc3ca0baaf86873ca400491d0e
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJS2JaWAAoJEJIMDbyqvv1VEpMP/3VM1B2bYd9x4ZZZMf6y0sPp
-BVFP4RbACbMmfcV9z1gQzBc+nRbTpl0rnrzFn79oG07u8pPGgDfw2FxH4PH0pIQy
-vJneJLkd7N1UM2FYi1FaR/at2IC0cKzy/aY7ZKTghPT/02yLwf/T3YoLHmG56w9v
-NCtwgpNF1SwllFeqN+wQNi4M/ak8wnD42j7iguEZ4Pg0gM0iO9Mj9OzfA6MeJtuU
-JSQWBxmeIN/pH512FEYDl/q72c2Wkt22gmxFp3HqIcy4yWk8hRXaDdY6Afoza+cW
-r0awsF7raq1ZCqdnTiL+dkewlTVDCgpZu8+cG65Z0jWViIvn9IJSPAV/H68ulRqn
-gWNq8WjuXwM13Zc7s4PlbU+YOaOxRYPWjLUacsSQLfua+h1yob6S7r4eQZO8U5Fu
-/12phmFHmT+Aj3gvgRk45KG/UzXKYwegpRjrY0rayXltskQlZvtsoIW/bMZs5Z8A
-NUDQtGdcJWZSayeTM9/bXt2H4I8bGaujE3i2gZ4Nu//bmgF6GICfdclVUt2RnRBF
-b7dvT3hCge2LyT8dWb5nuJYJuaiOYaxpUmWYfzICD7HDm/1JGOUOD8cjk7G2Aa00
-yWP0e8lQMlQNG8PA5aa8JQsxs5BDGVylZjx2S3h+HmpAoMBe1ySqLPoxIPg9xV1T
-P8alAwCydxdjkSiXK25V
-=uHBi
+iQIcBAEBCAAGBQJS4oYBAAoJEJIMDbyqvv1V6PkQANPY3iHDhCBI/Dbz5M6zz3Xf
+a93RZ12P0uMTyD4xKFIfhD59dskqsCjNZFgYZE2jVrH6laKuXCfuEdFPUJeIxv/Q
+YGcQxMp575hkwYbBgjOqtuj0KsXXH5pX6CKhgzyHO5iVnlsB8LM4R0OsDq2CYWPb
+cGRjJtVG69vEgfSxMuv3cBYeTFdQyXWYNAVlK+pqGkTjHWxV13tlLXY03IagZchU
+j13CycbkGP48Cfii/NTf+riGDOr3Mpx9FkcUE78K+niMHsTu90IDOnQqObFeLK5B
+IaNDFoCBAjdstNradd+26Whi7gSugAVATUm53HFIn89E7ZsUM0ikcv5oCQ5hVI6L
+nJpV+cefeZBOI5W1oBOm1A24oCpTsDaHF4ahKLMDwTt0llQO/q182jceSfg1nYw6
+0sXm53Z5Sqx0Yv1OaC558aw8OExvEN5gbHzrwnXLpeolwfElODjOKEM1PkUa5evj
+OuGRGfPwbW8/8qY5CGMMUYT+oXLOYRUXrt1xT0zNvvjJ1i8S8JXe2hmPGTVa1jMm
+EQOLCix2kfB/c+u27GSkFvsQxTrJwkZyr4m81l2j+ilevIyQnERi3RNMtLLY1lik
+78ccuT0gVcAmkfIOhEHWruqbqbaxzgT3zVnq1B2mIZRs1TNBYiYmihTjEijCcriv
+o6JfxpmzvIqeQ4E3mrCd
+=8koI
 -----END PGP SIGNATURE-----
diff --git a/app-emulation/xen/files/xen-4-XSA-83.patch b/app-emulation/xen/files/xen-4-XSA-83.patch
new file mode 100644
index 000000000000..209c38b93d59
--- /dev/null
+++ b/app-emulation/xen/files/xen-4-XSA-83.patch
@@ -0,0 +1,20 @@
+x86/irq: avoid use-after-free on error path in pirq_guest_bind()
+
+This is XSA-83.
+
+Coverity-ID: 1146952
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/irq.c
++++ b/xen/arch/x86/irq.c
+@@ -1590,8 +1590,7 @@ int pirq_guest_bind(struct vcpu *v, stru
+             printk(XENLOG_G_INFO
+                    "Cannot bind IRQ%d to dom%d. Out of memory.\n",
+                    pirq->pirq, v->domain->domain_id);
+-            rc = -ENOMEM;
+-            goto out;
++            return -ENOMEM;
+         }
+ 
+         action = newaction;
diff --git a/app-emulation/xen/files/xen-4.2-XSA-87.patch b/app-emulation/xen/files/xen-4.2-XSA-87.patch
new file mode 100644
index 000000000000..494cf5e2bf5d
--- /dev/null
+++ b/app-emulation/xen/files/xen-4.2-XSA-87.patch
@@ -0,0 +1,21 @@
+x86: PHYSDEVOP_{prepare,release}_msix are privileged
+
+Yet this wasn't being enforced.
+
+This is XSA-87.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/physdev.c
++++ b/xen/arch/x86/physdev.c
+@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+     case PHYSDEVOP_release_msix: {
+         struct physdev_pci_device dev;
+ 
+-        if ( copy_from_guest(&dev, arg, 1) )
++        if ( !IS_PRIV(v->domain) )
++            ret = -EPERM;
++        else if ( copy_from_guest(&dev, arg, 1) )
+             ret = -EFAULT;
+         else
+             ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
diff --git a/app-emulation/xen/files/xen-4.3-XSA-87.patch b/app-emulation/xen/files/xen-4.3-XSA-87.patch
new file mode 100644
index 000000000000..3c31ed5d9f66
--- /dev/null
+++ b/app-emulation/xen/files/xen-4.3-XSA-87.patch
@@ -0,0 +1,23 @@
+x86: PHYSDEVOP_{prepare,release}_msix are privileged
+
+Yet this wasn't being enforced.
+
+This is XSA-87.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- 2014-01-14.orig/xen/arch/x86/physdev.c	2013-11-18 11:03:37.000000000 +0100
++++ 2014-01-14/xen/arch/x86/physdev.c	2014-01-22 12:47:47.000000000 +0100
+@@ -640,7 +640,10 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
+         if ( copy_from_guest(&dev, arg, 1) )
+             ret = -EFAULT;
+         else
+-            ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
++            ret = xsm_resource_setup_pci(XSM_PRIV,
++                                         (dev.seg << 16) | (dev.bus << 8) |
++                                         dev.devfn) ?:
++                  pci_prepare_msix(dev.seg, dev.bus, dev.devfn,
+                                    cmd != PHYSDEVOP_prepare_msix);
+         break;
+     }
diff --git a/app-emulation/xen/xen-4.2.2-r3.ebuild b/app-emulation/xen/xen-4.2.2-r3.ebuild
new file mode 100644
index 000000000000..4d59d8294604
--- /dev/null
+++ b/app-emulation/xen/xen-4.2.2-r3.ebuild
@@ -0,0 +1,144 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.2.2-r3.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python{2_6,2_7} )
+
+if [[ $PV == *9999 ]]; then
+	KEYWORDS=""
+	REPO="xen-unstable.hg"
+	EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+	S="${WORKDIR}/${REPO}"
+	live_eclass="mercurial"
+else
+	KEYWORDS="~amd64 ~x86"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug efi flask pae xsm"
+
+DEPEND="${PYTHON_DEPS}
+	efi? ( >=sys-devel/binutils-2.22[multitarget] )
+	!efi? ( >=sys-devel/binutils-2.22[-multitarget] )"
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="
+	flask? ( xsm )
+	"
+
+#Security patches
+XSA_PATCHES=(
+	"${FILESDIR}"/${PN}-4-CVE-2013-1918-XSA-45_[1-7].patch
+	"${FILESDIR}"/${PN}-4.2-2013-2076-XSA-52to54.patch
+	"${FILESDIR}"/${PN}-4.2-CVE-2013-1432-XSA-58.patch
+	"${FILESDIR}"/${PN}-4.2-CVE-2013-4553-XSA-74.patch
+	"${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch
+	"${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch
+	"${FILESDIR}"/${PN}-4-XSA-83.patch						#bug #499054
+	"${FILESDIR}"/${PN}-4.2-XSA-87.patch					#bug #499124
+)
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	elif use xsm ; then
+		export "XSM_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Drop .config and fix gcc-4.6
+	epatch  "${FILESDIR}"/${PN/-pvgrub/}-4-fix_dotconfig-gcc.patch
+
+	if use efi; then
+		epatch "${FILESDIR}"/${PN}-4.2-efi.patch
+		export EFI_VENDOR="gentoo"
+		export EFI_MOUNTPOINT="boot"
+	fi
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to re-set custom-cflags"
+	fi
+
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+	[[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}"
+	epatch_user
+}
+
+src_configure() {
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+	use pae && myopt="${myopt} pae=y"
+
+	# The 'make install' doesn't 'mkdir -p' the subdirs
+	if use efi; then
+		mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die
+	fi
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	use pae && ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!"
+	use efi && einfo "The efi executable is installed in boot/efi/gentoo"
+}
diff --git a/app-emulation/xen/xen-4.3.1-r4.ebuild b/app-emulation/xen/xen-4.3.1-r4.ebuild
new file mode 100644
index 000000000000..c3bae933263c
--- /dev/null
+++ b/app-emulation/xen/xen-4.3.1-r4.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-4.3.1-r4.ebuild,v 1.1 2014/01/24 15:25:38 dlan Exp $
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+
+if [[ $PV == *9999 ]]; then
+	KEYWORDS=""
+	REPO="xen-unstable.hg"
+	EHG_REPO_URI="http://xenbits.xensource.com/${REPO}"
+	S="${WORKDIR}/${REPO}"
+	live_eclass="mercurial"
+else
+	# Set to match entry in stable 4.3.1-r1, Bug 493944
+	KEYWORDS="~amd64 -x86"
+	SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz"
+fi
+
+inherit mount-boot flag-o-matic python-any-r1 toolchain-funcs eutils ${live_eclass}
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="http://xen.org/"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="custom-cflags debug efi flask xsm"
+
+DEPEND="${PYTHON_DEPS}
+	efi? ( >=sys-devel/binutils-2.22[multitarget] )
+	!efi? ( >=sys-devel/binutils-2.22[-multitarget] )"
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+RESTRICT="test"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="flask? ( xsm )"
+
+# Security patches
+XSA_PATCHES=(
+	"${FILESDIR}"/${PN}-CVE-2013-4375-XSA-71.patch
+	"${FILESDIR}"/${PN}-CVE-2013-4494-XSA-73.patch
+	"${FILESDIR}"/${PN}-4.3-CVE-2013-6375-XSA-75.patch
+	"${FILESDIR}"/${PN}-CVE-2013-6375-XSA-78.patch
+	"${FILESDIR}"/${PN}-CVE-2013-6885-XSA-82.patch
+	"${FILESDIR}"/${PN}-4.3-CVE-2013-4553-XSA-74.patch
+	"${FILESDIR}"/${PN}-CVE-2013-4554-XSA-76.patch
+	"${FILESDIR}"/${PN}-CVE-2013-6400-XSA-80.patch
+	"${FILESDIR}"/${PN}-4-XSA-83.patch					#bug #499054
+	"${FILESDIR}"/${PN}-4.3-XSA-87.patch				#bug #499124
+)
+
+pkg_setup() {
+	python-any-r1_pkg_setup
+	if [[ -z ${XEN_TARGET_ARCH} ]]; then
+		if use x86 && use amd64; then
+			die "Confusion! Both x86 and amd64 are set in your use flags!"
+		elif use x86; then
+			export XEN_TARGET_ARCH="x86_32"
+		elif use amd64; then
+			export XEN_TARGET_ARCH="x86_64"
+		else
+			die "Unsupported architecture!"
+		fi
+	fi
+
+	if use flask ; then
+		export "XSM_ENABLE=y"
+		export "FLASK_ENABLE=y"
+	elif use xsm ; then
+		export "XSM_ENABLE=y"
+	fi
+}
+
+src_prepare() {
+	# Drop .config and fix gcc-4.6
+	epatch  "${FILESDIR}"/${PN/-pvgrub/}-4.3-fix_dotconfig-gcc.patch
+
+	if use efi; then
+		epatch "${FILESDIR}"/${PN}-4.2-efi.patch
+		export EFI_VENDOR="gentoo"
+		export EFI_MOUNTPOINT="boot"
+	fi
+
+	# if the user *really* wants to use their own custom-cflags, let them
+	if use custom-cflags; then
+		einfo "User wants their own CFLAGS - removing defaults"
+		# try and remove all the default custom-cflags
+		find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \
+			-e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \
+			-i {} \; || die "failed to re-set custom-cflags"
+	fi
+
+	# not strictly necessary to fix this
+	sed -i 's/, "-Werror"//' "${S}/tools/python/setup.py" || die "failed to re-set setup.py"
+
+	[[ ${XSA_PATCHES[@]} ]] && epatch "${XSA_PATCHES[@]}"
+
+	epatch_user
+}
+
+src_configure() {
+	use debug && myopt="${myopt} debug=y"
+
+	if use custom-cflags; then
+		filter-flags -fPIE -fstack-protector
+		replace-flags -O3 -O2
+	else
+		unset CFLAGS
+	fi
+}
+
+src_compile() {
+	# Send raw LDFLAGS so that --as-needed works
+	emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+	local myopt
+	use debug && myopt="${myopt} debug=y"
+
+	# The 'make install' doesn't 'mkdir -p' the subdirs
+	if use efi; then
+		mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die
+	fi
+
+	emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+}
+
+pkg_postinst() {
+	elog "Official Xen Guide and the unoffical wiki page:"
+	elog " http://www.gentoo.org/doc/en/xen-guide.xml"
+	elog " http://en.gentoo-wiki.com/wiki/Xen/"
+
+	use efi && einfo "The efi executable is installed in boot/efi/gentoo"
+}