Nico Golde
2008-Jun-19 19:41 UTC
[Pkg-xen-devel] Bug#487095: Bug#487095: xen-3: multiple security issues
reopen 487095 reopen 487097 thanks Hi, since you thought it's necessary to complain to me about this bug report on IRC I'm replying to this bug now as well.> On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bl?sing wrote: > > CVE-2008-1943[0]: > > | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame > > | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial > > | of service (crash) and possibly execute arbitrary code via a crafted > > | description of a shared framebuffer. > > 3.1.2 < 3.2 > > > CVE-2008-1944[1]: > > | Buffer overflow in the backend framebuffer of XenSource Xen > > | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows > > | local users to cause a denial of service (SDL crash) and possibly > > | execute arbitrary code via "bogus screen updates," related to missing > > | validation of the "format of messages." > > 3.0.3 < 3.2The version numbers in the CVE id report doesn't say anything about later versions not being affected. Those are the versions that were affected when the inital bug was reported. I guess Thomas checked the source code and came to the conclusion they are not yet fixed so I reopen those two bugs.> > CVE-2008-1952[2]: > > | ** RESERVED ** > > | This candidate has been reserved by an organization or individual that > > | will use it when announcing a new security problem. When the > > | candidate has been publicized, the details for this candidate will be > > | provided. > > No information.Looks like this was an accident. I poked the responsible people to update the text on the mitre site so this should be hopefully available soon. In the meantime: | ioemu: Fix PVFB backend to limit frame buffer size | | The recent fix to validate the frontend's frame buffer description | neglected to limit the frame buffer size correctly. This lets a | malicious frontend make the backend attempt to map an arbitrary amount | of guest memory, which could be useful for a denial of service attack | against dom0. This is from: http://www.openwall.com/lists/oss-security/2008/05/21/9> > If you fix the vulnerabilities please also make sure to include the > > CVE ids in your changelog entry. > > There is nothing to fix.If you close this bug again please close it with the proper version numbers and state why the new versions are not affected anymore. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080619/69ce3459/attachment-0001.pgp
Reasonably Related Threads
- Bug#487097: xen-unstable: multiple security issues
- Bug#451626: CVE-2007-5907, CVE-2007-5906 possible denial of service vulnerability
- Bug#464044: xen-unstable: CVE-2007-3919 prone to symlink attack
- Bug#469654: xen-unstable: CVE-2008-0928 privilege escalation
- Bug#444007: CVE-2007-1320 multiple heap based buffer overflows