Bug 1238088 (CVE-2015-3259, xsa137) - CVE-2015-3259 xen: xl command line config handling stack overflow (XSA-137)
Summary: CVE-2015-3259 xen: xl command line config handling stack overflow (XSA-137)
Alias: CVE-2015-3259, xsa137
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1238089
TreeView+ depends on / blocked
Reported: 2015-07-01 07:48 UTC by Martin Prpič
Modified: 2023-05-12 09:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-07 12:38:10 UTC

Attachments (Terms of Use)

Description Martin Prpič 2015-07-01 07:48:18 UTC

The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun.


Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl's command line, without restricting their length, are vulnerable.

We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains.

Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable.

The vulnerability exists on x86 and ARM.

The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases.


A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host.


Limiting the length of untrusted configuration settings will avoid the vulnerability. (The total length of all command-line configuration settings, including some interposed newlines and trailing nul, must be less than 1024.)


Red Hat would like to thank the Xen project for reporting this issue.

Comment 1 Petr Matousek 2015-07-07 12:38:10 UTC

Not vulnerable.

This issue does not affect the Xen packages as shipped with Red Hat Enterprise Linux 5.

Comment 2 Martin Prpič 2015-07-07 13:10:15 UTC
External References:


Note You need to log in before you can comment on or make changes to this bug.