Debian Bug report logs - #487095
xen-3: multiple security issues

version graph

Package: xen-3; Maintainer for xen-3 is (unknown);

Reported by: Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>

Date: Thu, 19 Jun 2008 15:00:02 UTC

Severity: grave

Tags: patch, security

Found in version xen-3/3.2.1-1

Fixed in version xen-3/3.2.1-2

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#487095; Package xen-3. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
New Bug report received and forwarded. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>
To: submit@bugs.debian.org
Subject: xen-3: multiple security issues
Date: Thu, 19 Jun 2008 16:56:54 +0200
[Message part 1 (text/plain, inline)]
Source: xen-3
Version: 3.2.1-1
Severity: grave
Tags: security, patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for xen-3.

CVE-2008-1943[0]:
| Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
| Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
| of service (crash) and possibly execute arbitrary code via a crafted
| description of a shared framebuffer.

CVE-2008-1944[1]:
| Buffer overflow in the backend framebuffer of XenSource Xen
| Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
| local users to cause a denial of service (SDL crash) and possibly
| execute arbitrary code via "bogus screen updates," related to missing
| validation of the "format of messages."

CVE-2008-1952[2]:
| ** RESERVED **
| This candidate has been reserved by an organization or individual that
| will use it when announcing a new security problem.  When the
| candidate has been publicized, the details for this candidate will be
| provided.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943
    http://security-tracker.debian.net/tracker/CVE-2008-1943
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944
    http://security-tracker.debian.net/tracker/CVE-2008-1944
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1952
    http://security-tracker.debian.net/tracker/CVE-2008-1952

These issues are fixed within the following patch for fedora:
http://cvs.fedoraproject.org/viewcvs/rpms/xen/F-9/xen-pvfb-validate-fb.patch?view=markup

Kind regards,
Thomas.

[signature.asc (application/pgp-signature, inline)]

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 487095-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 487095-done@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#487095: xen-3: multiple security issues
Date: Thu, 19 Jun 2008 20:05:01 +0200
On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bläsing wrote:
> CVE-2008-1943[0]:
> | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
> | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
> | of service (crash) and possibly execute arbitrary code via a crafted
> | description of a shared framebuffer.

3.1.2 < 3.2

> CVE-2008-1944[1]:
> | Buffer overflow in the backend framebuffer of XenSource Xen
> | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
> | local users to cause a denial of service (SDL crash) and possibly
> | execute arbitrary code via "bogus screen updates," related to missing
> | validation of the "format of messages."

3.0.3 < 3.2

> CVE-2008-1952[2]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.

No information.

> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.

There is nothing to fix.

Bastian

-- 
Deflector shields just came on, Captain.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#487095; Package xen-3. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 487095@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 487095@bugs.debian.org, 487097@bugs.debian.org
Cc: thomasbl@pool.math.tu-berlin.de
Subject: Re: [Pkg-xen-devel] Bug#487095: xen-3: multiple security issues
Date: Thu, 19 Jun 2008 21:41:14 +0200
[Message part 1 (text/plain, inline)]
reopen 487095
reopen 487097
thanks

Hi,
since you thought it's necessary to complain to me about 
this bug report on IRC I'm replying to this bug now as well.

> On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bläsing wrote:
> > CVE-2008-1943[0]:
> > | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
> > | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
> > | of service (crash) and possibly execute arbitrary code via a crafted
> > | description of a shared framebuffer.
> 
> 3.1.2 < 3.2
> 
> > CVE-2008-1944[1]:
> > | Buffer overflow in the backend framebuffer of XenSource Xen
> > | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
> > | local users to cause a denial of service (SDL crash) and possibly
> > | execute arbitrary code via "bogus screen updates," related to missing
> > | validation of the "format of messages."
> 
> 3.0.3 < 3.2

The version numbers in the CVE id report doesn't say anything about later
versions not being affected. Those are the versions that were affected when the
inital bug was reported. I guess Thomas checked the source code and came to the
conclusion they are not yet fixed so I reopen those two bugs.

> > CVE-2008-1952[2]:
> > | ** RESERVED **
> > | This candidate has been reserved by an organization or individual that
> > | will use it when announcing a new security problem.  When the
> > | candidate has been publicized, the details for this candidate will be
> > | provided.
> 
> No information.

Looks like this was an accident. I poked the responsible people to update
the text on the mitre site so this should be hopefully available soon.
In the meantime:
| ioemu: Fix PVFB backend to limit frame buffer size
| 
| The recent fix to validate the frontend's frame buffer description
| neglected to limit the frame buffer size correctly. This lets a
| malicious frontend make the backend attempt to map an arbitrary amount
| of guest memory, which could be useful for a denial of service attack
| against dom0.

This is from: http://www.openwall.com/lists/oss-security/2008/05/21/9

> > If you fix the vulnerabilities please also make sure to include the
> > CVE ids in your changelog entry.
> 
> There is nothing to fix.

If you close this bug again please close it with the proper version
numbers and state why the new versions are not affected anymore.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 487095-close@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 487095-close@bugs.debian.org
Subject: Bug#487095: fixed in xen-3 3.2.1-2
Date: Sat, 28 Jun 2008 09:47:08 +0000
Source: xen-3
Source-Version: 3.2.1-2

We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:

libxen-dev_3.2.1-2_amd64.deb
  to pool/main/x/xen-3/libxen-dev_3.2.1-2_amd64.deb
libxenstore3.0_3.2.1-2_amd64.deb
  to pool/main/x/xen-3/libxenstore3.0_3.2.1-2_amd64.deb
xen-3_3.2.1-2.diff.gz
  to pool/main/x/xen-3/xen-3_3.2.1-2.diff.gz
xen-3_3.2.1-2.dsc
  to pool/main/x/xen-3/xen-3_3.2.1-2.dsc
xen-docs-3.2_3.2.1-2_all.deb
  to pool/main/x/xen-3/xen-docs-3.2_3.2.1-2_all.deb
xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
  to pool/main/x/xen-3/xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
xen-utils-3.2-1_3.2.1-2_amd64.deb
  to pool/main/x/xen-3/xen-utils-3.2-1_3.2.1-2_amd64.deb
xenstore-utils_3.2.1-2_amd64.deb
  to pool/main/x/xen-3/xenstore-utils_3.2.1-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487095@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 Jun 2008 11:30:43 +0200
Source: xen-3
Binary: xen-docs-3.2 libxenstore3.0 libxen-dev xenstore-utils xen-utils-3.2-1 xen-hypervisor-3.2-1-amd64 xen-hypervisor-3.2-1-i386 xen-hypervisor-3.2-1-i386-nonpae
Architecture: source all amd64
Version: 3.2.1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description: 
 libxen-dev - Public headers and libs for Xen
 libxenstore3.0 - Xenstore communications library for Xen
 xen-docs-3.2 - Documentation for Xen
 xen-hypervisor-3.2-1-amd64 - The Xen Hypervisor on AMD64
 xen-hypervisor-3.2-1-i386 - The Xen Hypervisor on i386
 xen-hypervisor-3.2-1-i386-nonpae - The Xen Hypervisor on i386 without pae
 xen-utils-3.2-1 - XEN administrative tools
 xenstore-utils - Xenstore utilities for Xen
Closes: 474509 476366 487095
Changes: 
 xen-3 (3.2.1-2) unstable; urgency=low
 .
   * Use e2fslibs based ext2 support for pygrub. (closes: #476366)
   * Fix missing checks in pvfb code.
     See CVE-2008-1952. (closes: #487095)
   * Add support for loading bzImage files. (closes: #474509)
   * Enable TLS support in ioemu code.
   * Drop libcrypto usage because of GPL-incompatibility.
   * Remove AES code from blktap drivers. Considered broken.
Checksums-Sha1: 
 c554a791c3f7dc1bed082192d00e37848a88a947 1599 xen-3_3.2.1-2.dsc
 92388212fee2582b2d62df9b9c05a650a02fb3e3 54201 xen-3_3.2.1-2.diff.gz
 1ddc8e09b1ae2db6467b62ad3a2804dc4ab84aca 1198380 xen-docs-3.2_3.2.1-2_all.deb
 fff42ccf3ab065a531230c8a701017bcbba592c3 418614 xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
 ea5b8522c4077c9e2dafecd4eac3a7de379b910e 197660 libxen-dev_3.2.1-2_amd64.deb
 211fb10460b1282e560ddfe036c971091b7f592b 19360 libxenstore3.0_3.2.1-2_amd64.deb
 6465d930425e260e36debdddba07979c0a192084 1070516 xen-utils-3.2-1_3.2.1-2_amd64.deb
 b358e53c77ede134c0d1c2ab3b4b68fa496792fd 22566 xenstore-utils_3.2.1-2_amd64.deb
Checksums-Sha256: 
 69b20ecc25fef7f04c9547a0608e8a7bce243f27f818280addac979fe1180edd 1599 xen-3_3.2.1-2.dsc
 63d4117c4171f80babeec1ff28cdd5a48c70e894dcaa3869c30aa9e72b77b86e 54201 xen-3_3.2.1-2.diff.gz
 3051f89b77cff4be4b0286a90570fb7ff38cac928c8887f4182c7bcf6e519cb0 1198380 xen-docs-3.2_3.2.1-2_all.deb
 acd6ea5866572979a91924dca7931d2cba7150eb898e5667f447e0769336b227 418614 xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
 37b50625df1c020555f885ae1dca56e47fa892a922ac113816cd5655dcb16c13 197660 libxen-dev_3.2.1-2_amd64.deb
 8f406296db2af09bc595610b5d8cfaa56c858394928255c97becb7544cffbb36 19360 libxenstore3.0_3.2.1-2_amd64.deb
 4ab689b7bd57b4885b4f131606f34f5b56ad56d5d39d7621eb896657a85cfab7 1070516 xen-utils-3.2-1_3.2.1-2_amd64.deb
 73ff1e710be16f2732caada6a66c6af90541bd94a9444d8dd24073fbdd7fd61e 22566 xenstore-utils_3.2.1-2_amd64.deb
Files: 
 e00ffdb6939f517d8d5afed6b418f051 1599 misc extra xen-3_3.2.1-2.dsc
 df6ffb368b0ce6e3723ec823407bfb52 54201 misc extra xen-3_3.2.1-2.diff.gz
 963fd1aab43d22e745de2a93102ce26f 1198380 doc extra xen-docs-3.2_3.2.1-2_all.deb
 6ac0ceb062f16a781eba3dcb4858b16f 418614 misc extra xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
 94df8b325e502ee549611e603ec8dac7 197660 libdevel extra libxen-dev_3.2.1-2_amd64.deb
 b85bef2139a4ee76fea154f0edae08b4 19360 libs extra libxenstore3.0_3.2.1-2_amd64.deb
 d10f8282dbf0f254a1f26a5f89ac03e9 1070516 misc extra xen-utils-3.2-1_3.2.1-2_amd64.deb
 4523b836a00dc3f700662c67d72f9256 22566 admin extra xenstore-utils_3.2.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhmBm0ACgkQxWtQqFixGB4ENACeLdidWsyiyy5Gxvs6fSPV+Pbz
57oAnjrl6QRi6xlYQQQBL7b94ulaZ19e
=3U/n
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 02 Aug 2008 07:45:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:39:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.