Description of problem: The recent fix to validate the frontend's frame buffer description neglected to limit the frame buffer size correctly. This lets a malicious frontend make the backend attempt to map an arbitrary amount of guest memory, which could be useful for a denial of service attack against dom0. Proposed upstream patch: http://xenbits.xensource.com/xen-unstable.hg?rev/9044705960cb30cec385bdca7305bcf7db096721
This fix is a sophisticated solution (another catch) for CVE-2008-1943.
This is fixed in all the relevant streams, so closing this tracker as CURRENTRELEASE. Chris Lalancette