Pkg xen devel - Sep 2012 - Bug#688125: xen: CVE-2012-2625

Package: xen
Severity: important
Tags: security
Justification: user security hole

Hi,
This issue is still unfixed in Wheezy:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625

Patch:
http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe

Cheers,
        Moritz

Your message dated Wed, 19 Sep 2012 17:47:51 +0200
with message-id <20120919154751.GA23398 at wavehammer.waldi.eu.org>
and subject line Re: [Pkg-xen-devel] Bug#688125: xen: CVE-2012-2625
has caused the Debian Bug report #688125,
regarding xen: CVE-2012-2625
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
688125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688125
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Moritz Muehlenhoff <jmm at inutil.org>
Subject: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:33:41 +0200
Size: 2020
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120919/7c0e2944/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: Re: [Pkg-xen-devel] Bug#688125: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:47:51 +0200
Size: 1954
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120919/7c0e2944/attachment-0001.mht>

On Wed, 2012-09-19 at 15:51 +0000, Debian Bug Tracking System
wrote:
> > On Wed, Sep 19, 2012 at 05:33:41PM +0200, Moritz Muehlenhoff wrote:
> > > This issue is still unfixed in Wheezy:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625
> > > http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe
> > 
> > Two different problems. No known patch for the first one.
Wrong. 

60f09d1ab1fe is the fix for precisely the issue described in
CVE-2012-2625.

If you think there is another issue then please tell us about it (on
security at xen.org if you prefer).

Ian.

-- 
Ian Campbell
Current Noise: Bastard Priest - Evil Pain

Give me a sleeping pill and tell me your troubles.

Your message dated Sun, 7 Oct 2012 18:07:31 +0200
with message-id <20121007160730.GA11972 at wavehammer.waldi.eu.org>
and subject line Re: [Pkg-xen-devel] Bug#688125: Bug#688125: Bug#688125: marked
as done (xen: CVE-2012-2625)
has caused the Debian Bug report #688125,
regarding xen: CVE-2012-2625
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
688125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688125
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Moritz Muehlenhoff <jmm at inutil.org>
Subject: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:33:41 +0200
Size: 2020
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20121007/0f8d65b6/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: Re: [Pkg-xen-devel] Bug#688125: Bug#688125: Bug#688125: marked as done
(xen: CVE-2012-2625)
Date: Sun, 7 Oct 2012 18:07:31 +0200
Size: 2553
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20121007/0f8d65b6/attachment-0001.mht>

reopen 688125
retitle 688125 CVE-2012-2625 / CVE-2012-4544
thanks

On Sun, Oct 07, 2012 at 06:07:31PM +0200, Bastian Blank
wrote:
> On Fri, Sep 21, 2012 at 02:23:13PM +0200, Bastian Blank wrote:
> > The referenced bug marked with CVE-2012-2625 speaks about the pv
loader
> > for bzip2 and lzma kernels. This loader is implemented in libxenctrl
and
> > the hypervisor for dom0. I see no mitigation in this code against
large
> > decompressed files. Plus there is an integer overflow.
> > 
> > 60f09d1ab1fe fixes reading too large files from guest filesystems
using
> > pygrub.
> 
> I received no further information. Please reopen _after_ you figured
> out, which one this is and this information got published in the CVE
> list.
Please see http://lists.xen.org/archives/html/xen-devel/2012-10/msg02015.html
for clarification

Cheers,
        Moritz

Your message dated Thu, 31 Jan 2013 15:14:50 +0100
with message-id <20130131141450.GA22390 at waldi.eu.org>
and subject line fixed
has caused the Debian Bug report #688125,
regarding CVE-2012-2625 / CVE-2012-4544
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
688125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688125
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Moritz Muehlenhoff <jmm at inutil.org>
Subject: xen: CVE-2012-2625
Date: Wed, 19 Sep 2012 17:33:41 +0200
Size: 2020
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20130131/57801992/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: fixed
Date: Thu, 31 Jan 2013 15:14:50 +0100
Size: 1410
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20130131/57801992/attachment-0001.mht>