Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 568
Alerts This Week
Warning Icon 1 568

Scientific Linux Xen Important Denial of Service Advisory CVE-2008-1944

Scientific Large Esm H446
Important: xen security and bug fix update
Date: Wed, 14 May 2008 11:00:58 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA for xen on SL5.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Important: xen security and bug fix update
Issue date:	2008-05-13
CVE Names:	CVE-2007-3919 CVE-2007-5730 CVE-2008-0928
 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004

Note: Troy Dawson has tested this update on a machine hosting both
paravirtualized and fully virtualized machines, both 32 bit and 64 bit. He did
the update while all the machines were running, none of them had any problems.
 He also tried stopping, starting, and rebooting several of the machines. All
without any problems. We tell you this because updating the xen package, while
running virtual machines, can make you a little nervous.

These updated packages fix the following security issues:

Daniel P. Berrange discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the format of messages
serving to update the contents of the framebuffer. This could allow a
malicious user to cause a denial of service, or compromise the privileged
domain (Dom0). (CVE-2008-1944)

Markus Armbruster discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the frontend's framebuffer
description. This could allow a malicious user to cause a denial of
service, or to use a specially crafted frontend to compromise the
privileged domain (Dom0). (CVE-2008-1943)

Chris Wright discovered a security vulnerability in the QEMU block format
auto-detection, when running fully-virtualized guests. Such
fully-virtualized guests, with a raw formatted disk image, were able
to write a header to that disk image describing another format. This could
allow such guests to read arbitrary files in their hypervisor's host.
(CVE-2008-2004)

Ian Jackson discovered a security vulnerability in the QEMU block device
drivers backend. A guest operating system could issue a block device
request and read or write arbitrary memory locations, which could lead to
privilege escalation. (CVE-2008-0928)

Tavis Ormandy found that QEMU did not perform adequate sanity-checking of
data received via the "net socket listen" option. A malicious local
administrator of a guest domain could trigger this flaw to potentially
execute arbitrary code outside of the domain. (CVE-2007-5730)

Steve Kemp discovered that the xenbaked daemon and the XenMon utility
communicated via an insecure temporary file. A malicious local
administrator of a guest domain could perform a symbolic link attack,
causing arbitrary files to be truncated. (CVE-2007-3919)

As well, in the previous xen packages, it was possible for Dom0 to fail to
flush data from a fully-virtualized guest to disk, even if the guest
explicitly requested the flush. This could cause data integrity problems on
the guest. In these updated packages, Dom0 always respects the request to
flush to disk.

SL 5.x

 SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
 i386:
xen-3.0.3-41.el5_1.5.i386.rpm
xen-devel-3.0.3-41.el5_1.5.i386.rpm
xen-libs-3.0.3-41.el5_1.5.i386.rpm
 x86_64:
xen-3.0.3-41.el5_1.5.x86_64.rpm
xen-devel-3.0.3-41.el5_1.5.i386.rpm
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm
xen-libs-3.0.3-41.el5_1.5.i386.rpm
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm

-Connie Sieh
-Troy Dawson