The oxenstored daemon (the ocaml version of the xenstore daemon) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring (and very likely crash) or to allocate large amounts of RAM. A malicious guest administrator can mount a denial of service attack affecting domain control and management functions. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: This issue did not affect the versions of the xen package as shipped with Red Hat Enterprise Linux 5.
Created xen tracking bugs for this issue Affects: fedora-all [bug 907888]
xen-4.1.4-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.2.1-7.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Relevant upstream patches are as follows: http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=40f9c5e0a6d15b4ca1f6d4ed3a46f0871520eab5 http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=61401264eb00fae4ee4efc8e9a5067449283207b