Bug 443078 (CVE-2008-1943)
Summary: | CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Markus Armbruster <armbru> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | bburns, benl, berrange, mgahagan, security-response-team, xen-maint | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-12-23 17:46:21 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 443376, 443377, 443585 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Markus Armbruster
2008-04-18 15:12:17 UTC
Created attachment 302934 [details]
Proposed fix
The fix makes the backend validate the framebuffer description presented by the
frontend on its shared page on initialization. Code executing after
initialization is not touched.
All frontends we've shipped so far present the same, fixed set of parameters,
which validates fine.
This issue is enhanced by the CVE-2008-1952 (another size limit check added). Public paper about exploitation of this flaw: http://marc.info/?l=dailydave&m=122407972124773&w=2 http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0194) RHEL Virtualization version 5 (RHSA-2008:0194) |