Bug 447759 (CVE-2008-1952)

Summary: CVE-2008-1952 qemu/xen/kvm: ioemu: Fix PVFB backend to limit frame buffer size
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: armbru, bburns, berrange, chrisw, clalance
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-11 09:01:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 447760, 447761    
Bug Blocks:    

Description Jan Lieskovsky 2008-05-21 16:55:10 UTC 
Description of problem:

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Proposed upstream patch:

http://xenbits.xensource.com/xen-unstable.hg?rev/9044705960cb30cec385bdca7305bcf7db096721
Comment 2 Jan Lieskovsky 2008-05-21 17:59:32 UTC 
This fix is a sophisticated solution (another catch) for CVE-2008-1943.
Comment 3 Chris Lalancette 2009-09-11 09:01:20 UTC 
This is fixed in all the relevant streams, so closing this tracker as CURRENTRELEASE.

Chris Lalancette