Skip to navigation

Security Advisory Important: xen security and bug fix update

Advisory: RHSA-2008:0194-20
Type: Security Advisory
Severity: Important
Issued on: 2008-05-13
Last updated on: 2008-05-13
Affected Products: RHEL Desktop Multi OS (v. 5 client)
RHEL Virtualization (v. 5 server)
RHEL Virtualization EUS (v. 5.1.z server)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.1.z server)
CVEs (cve.mitre.org): CVE-2007-3919
CVE-2007-5730
CVE-2008-0928
CVE-2008-1943
CVE-2008-1944
CVE-2008-2004

Details

Updated xen packages that fix several security issues and a bug are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The xen packages contain tools for managing the virtual machine monitor in
Red Hat Virtualization.

These updated packages fix the following security issues:

Daniel P. Berrange discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the format of messages
serving to update the contents of the framebuffer. This could allow a
malicious user to cause a denial of service, or compromise the privileged
domain (Dom0). (CVE-2008-1944)

Markus Armbruster discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the frontend's framebuffer
description. This could allow a malicious user to cause a denial of
service, or to use a specially crafted frontend to compromise the
privileged domain (Dom0). (CVE-2008-1943)

Chris Wright discovered a security vulnerability in the QEMU block format
auto-detection, when running fully-virtualized guests. Such
fully-virtualized guests, with a raw formatted disk image, were able
to write a header to that disk image describing another format. This could
allow such guests to read arbitrary files in their hypervisor's host.
(CVE-2008-2004)

Ian Jackson discovered a security vulnerability in the QEMU block device
drivers backend. A guest operating system could issue a block device
request and read or write arbitrary memory locations, which could lead to
privilege escalation. (CVE-2008-0928)

Tavis Ormandy found that QEMU did not perform adequate sanity-checking of
data received via the "net socket listen" option. A malicious local
administrator of a guest domain could trigger this flaw to potentially
execute arbitrary code outside of the domain. (CVE-2007-5730)

Steve Kemp discovered that the xenbaked daemon and the XenMon utility
communicated via an insecure temporary file. A malicious local
administrator of a guest domain could perform a symbolic link attack,
causing arbitrary files to be truncated. (CVE-2007-3919)

As well, in the previous xen packages, it was possible for Dom0 to fail to
flush data from a fully-virtualized guest to disk, even if the guest
explicitly requested the flush. This could cause data integrity problems on
the guest. In these updated packages, Dom0 always respects the request to
flush to disk.

Users of xen are advised to upgrade to these updated packages, which
resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Multi OS (v. 5 client)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 01bfef5c31ceb34204dc399bd83e347a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
 
x86_64:
xen-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 778df7410dc54ce8e41deba1e7e2647a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 121c2fc09883c8218a88dcc4e3c506a1
 
RHEL Virtualization (v. 5 server)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 01bfef5c31ceb34204dc399bd83e347a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
 
IA-64:
xen-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2013:0846
    MD5: a005142b9831e353b370db3153627464
xen-devel-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 63b6af2d2522cbcfa70c2c3c3b5ba221
 
x86_64:
xen-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 778df7410dc54ce8e41deba1e7e2647a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 121c2fc09883c8218a88dcc4e3c506a1
 
RHEL Virtualization EUS (v. 5.1.z server)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2008:0280
    MD5: 01bfef5c31ceb34204dc399bd83e347a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2008:0280
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
 
IA-64:
xen-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2008:0280
    MD5: a005142b9831e353b370db3153627464
xen-devel-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2008:0280
    MD5: 63b6af2d2522cbcfa70c2c3c3b5ba221
 
x86_64:
xen-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2008:0280
    MD5: 778df7410dc54ce8e41deba1e7e2647a
xen-devel-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2008:0280
    MD5: 6e4aad94c98dd23365e85ac79bf106f3
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2008:0280
    MD5: 121c2fc09883c8218a88dcc4e3c506a1
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
 
IA-64:
xen-libs-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 103ecae467c2b6e5a0864ace8606e001
 
x86_64:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 5c15cf920cd38193f2a2644f14114197
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
 
x86_64:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2013:0846
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2013:0846
    MD5: 5c15cf920cd38193f2a2644f14114197
 
Red Hat Enterprise Linux EUS (v. 5.1.z server)

SRPMS:
xen-3.0.3-41.el5_1.5.src.rpm
File outdated by:  RHBA-2008:0280
    MD5: ea85165bcdc7d00e37a165a76cb4df86
 
IA-32:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2008:0280
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
 
IA-64:
xen-libs-3.0.3-41.el5_1.5.ia64.rpm
File outdated by:  RHBA-2008:0280
    MD5: 103ecae467c2b6e5a0864ace8606e001
 
x86_64:
xen-libs-3.0.3-41.el5_1.5.i386.rpm
File outdated by:  RHBA-2008:0280
    MD5: e7d5be18a0dc59e333bcdfe3f7b9d065
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm
File outdated by:  RHBA-2008:0280
    MD5: 5c15cf920cd38193f2a2644f14114197
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

350421 - CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
360381 - CVE-2007-5730 QEMU Buffer overflow via crafted "net socket listen" option
433560 - CVE-2008-0928 Qemu insufficient block device address range checking
435495 - [RHEL5.2]: LTC41676-Xen full virt has data integrity issue
443078 - CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description
443390 - CVE-2008-1944 PVFB SDL backend chokes on bogus screen updates
444583 - CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/