[Pkg-xen-devel] Bug#487095: Bug#487095: xen-3: multiple security issues

Nico Golde nion at debian.org
Thu Jun 19 19:41:14 UTC 2008 

reopen 487095
reopen 487097
thanks

Hi,
since you thought it's necessary to complain to me about 
this bug report on IRC I'm replying to this bug now as well.

> On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bläsing wrote:
> > CVE-2008-1943[0]:
> > | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
> > | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
> > | of service (crash) and possibly execute arbitrary code via a crafted
> > | description of a shared framebuffer.
> 
> 3.1.2 < 3.2
> 
> > CVE-2008-1944[1]:
> > | Buffer overflow in the backend framebuffer of XenSource Xen
> > | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
> > | local users to cause a denial of service (SDL crash) and possibly
> > | execute arbitrary code via "bogus screen updates," related to missing
> > | validation of the "format of messages."
> 
> 3.0.3 < 3.2

The version numbers in the CVE id report doesn't say anything about later
versions not being affected. Those are the versions that were affected when the
inital bug was reported. I guess Thomas checked the source code and came to the
conclusion they are not yet fixed so I reopen those two bugs.

> > CVE-2008-1952[2]:
> > | ** RESERVED **
> > | This candidate has been reserved by an organization or individual that
> > | will use it when announcing a new security problem.  When the
> > | candidate has been publicized, the details for this candidate will be
> > | provided.
> 
> No information.

Looks like this was an accident. I poked the responsible people to update
the text on the mitre site so this should be hopefully available soon.
In the meantime:
| ioemu: Fix PVFB backend to limit frame buffer size
| 
| The recent fix to validate the frontend's frame buffer description
| neglected to limit the frame buffer size correctly. This lets a
| malicious frontend make the backend attempt to map an arbitrary amount
| of guest memory, which could be useful for a denial of service attack
| against dom0.

This is from: http://www.openwall.com/lists/oss-security/2008/05/21/9

> > If you fix the vulnerabilities please also make sure to include the
> > CVE ids in your changelog entry.
> 
> There is nothing to fix.

If you close this bug again please close it with the proper version
numbers and state why the new versions are not affected anymore.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080619/69ce3459/attachment-0001.pgp

More information about the Pkg-xen-devel mailing list