[Oraclevm-errata] OVMSA-2008-2003: Oracle VM 2.1 xen security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed May 21 17:52:18 PDT 2008 

Oracle VM Security Advisory OVMSA-2008-2003

The following updated rpms for Oracle VM Server 2.1 have been uploaded 
to the Unbreakable Linux Network:

i386:
xen-devel-3.1.3-0.0.6.el5.i386.rpm
xen-tools-3.1.3-0.0.6.el5.i386.rpm
xen-3.1.3-0.0.6.el5.i386.rpm
xen-pvhvm-devel-3.1.3-0.0.6.el5.i386.rpm
xen-64-3.1.3-0.0.6.el5.noarch.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/SRPMS-updates/xen-3.1.3-0.0.6.el5.src.rpm


This update addresses following security issues:

Buffer overflow in the backend of  Xen Para Virtualized Frame Buffer 
(PVFB) 3.0 through 3.1.3 allows local users to cause a denial of service 
(crash) and possibly execute arbitrary code via a crafted description of 
a shared framebuffer.

The drive_init function in QEMU 0.9.1 determines the format of a raw 
disk image based on the header, which allows local guest users to read 
arbitrary files on the host by modifying the header to identify a 
different format, which is used when the guest is restarted.

Qemu 0.9.1 and earlier does not perform range checks for block device 
read or write requests, which allows guest host users with root 
privileges to access arbitrary memory and escape the virtual machine.

Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly 
other products, allows local users to execute arbitrary code via crafted 
data in the "net socket listen" option, aka QEMU "net socket" heap 
overflow.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0928
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5730


Description of changes:

[3.1.3-0.0.6.el5]

- Disable QEMU image format auto-detection CVE-2008-2004 (armbru at redhat.com)
- Fix PVFB to validate frame buffer description (armbru at redhat.com)
- Fix PVFB to cope with bogus update requests (armbru at redhat.com)
- Fix QEMU buffer overflow CVE-2007-5730 (berrange at redhat.com)
- Fix QEMU block device extents checking CVE-2008-0928 (berrange at redhat.com)
- Fix FV O_DIRECT flushing (clalance at redhat.com)

More information about the Oraclevm-errata mailing list