Bug 696927 (CVE-2011-1583, CVE-2011-3262)

Summary: CVE-2011-1583 CVE-2011-3262 xen: insufficiencies in pv kernel image validation
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: drjones, lersek, mrezanin, pbonzini, security-response-team, tburke, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-30 12:51:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 696938, 696939    
Bug Blocks:    

Description Petr Matousek 2011-04-15 10:37:25 UTC 
CVE-2011-1583
It has been found that xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not properly check for possible buffer size overflow in the decoding loop. Specially crafted kernel image file could be created that would trigger allocation of a small buffer resulting in buffer overflow with user supplied data.

CVE-2011-3262
Additionally, several integer overflows and lack of error/range checking that could result in the loader reading its own address space or could lead to an infinite loop have been found.

A privileged DomU user could use these flaws to cause denial of service or, possibly, execute arbitrary code in Dom0.


Only management domains with 32-bit userland are vulnerable.
Comment 11 Laszlo Ersek 2011-04-22 08:44:55 UTC 
Created attachment 494129 [details]
5.7 backport of Xen Unstable upstream patch
Comment 19 Petr Matousek 2011-05-09 10:56:45 UTC 
Statement:

This issue did not affect the versions of the Xen package as shipped with Red Hat Enterprise Linux 4 and 6. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-0496.html.
Comment 20 errata-xmlrpc 2011-05-09 15:50:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0496 https://rhn.redhat.com/errata/RHSA-2011-0496.html