Date: Thu, 18 Apr 2013 15:16:15 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 50 (CVE-2013-1964) - grant table hypercall acquire/release imbalance -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1964 / XSA-50 grant table hypercall acquire/release imbalance ISSUE DESCRIPTION ================= When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses (as if for a transitive grant) and releases an unrelated grant reference. IMPACT ====== A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a host crash is possible, but information leakage or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Xen 4.0 and 4.1 are vulnerable. Any kind of guest can trigger the vulnerability. Xen 4.2 and xen-unstable, as well as Xen 3.x and earlier, are not vulnerable. MITIGATION ========== Using only trustworthy guest kernels will avoid the vulnerability. Using a debug build of Xen will eliminate the possible information leak or privilege violation; instead, if the vulnerability is attacked, Xen will crash. NOTE REGARDING EMBARGO ====================== A crash resulting from this bug has been reported by a user on the public xen-devel mailing list. There is therefore no embargo. RESOLUTION ========== Applying the attached patch resolves this issue. xsa50-4.1.patch $ sha256sum xsa50-*.patch 29f76073311a372dd30dd4788447850465d2575d5ff7b2c10912a69e4941fb21 xsa50-4.1.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcA4pAAoJEIP+FMlX6CvZHhsIAK2RYhWr4CQ2ziTh3o1cbkXe HfDcWHjLTe1+zoULCKbptUHcoH6/oPxwZBklAfNSECFT47a4FKZu/ARCP1IBtot2 o6cuTTlYgLMMpSfVW//aDJQ59YivhcwN5omLEp4G8N/YHw0IA1W58/IpNKXVbNNy pmMEqus/QUH8EzGaxLfwIfSrJR96x96QKOlG94lohY5P5aipx/5vXzUPyRFXLbOZ jr8Ve+woNuYAeBx3zue7TNfhePVuDUl8b7ufhsuYdwkODzEXCNLcJM93Z3eaKfPp CVDBE38GUO9hr5CpBh5QgGeCCeMhxwI8jXTXUb6N8KFrwgbq04HP7BOmVI4O8Xs= =jiz6 -----END PGP SIGNATURE----- Download attachment "xsa50-4.1.patch" of type "application/octet-stream" (6789 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.