Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 440768 (CVE-2012-2625)

Summary: app-emulation/xen-4.2.1: domain builder Out-of-memory due to malicious kernel/ramdisk (CVE-2012-{2625,4544})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: idella4, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2012/10/26/3
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-01 16:08:45 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=870412 :

The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk 
either before or after decompression. This could cause the toolstack to consume all available RAM 
in the domain running the domain builder.

A malicious guest administrator who can supply a kernel or ramdisk can exhaust memory in domain 0 
leading to a denial of service attack.

HVM guests are not affected by this vulnerability.

Reference:
http://lists.xen.org/archives/html/xen-devel/2012-10/msg02015.html
http://www.openwall.com/lists/oss-security/2012/10/26/3

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:40:14 UTC 
CVE-2012-4544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4544):
  The PV domain builder in Xen 4.2 and earlier does not validate the size of
  the kernel or ramdisk (1) before or (2) after decompression, which allows
  local guest administrators to cause a denial of service (domain 0 memory
  consumption) via a crafted (a) kernel or (b) ramdisk.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:47:51 UTC 
CVE-2012-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2625):
  The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe,
  4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial
  of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed
  kernel image.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2013-01-31 07:28:40 UTC 
right; 
CVE-2012-2625 XSA-25 content is in place      in the xensource code in >=4.2.0.  CVE-2012-4544 XSA-25 patch takes once applied to the xensource code in >=4.2.0.

CVE-2012-2625 XSA-25 will become obsolete on the stabilising of xen-4.2.0.
CVE-2012-4544 XSA-25 is currently valid and pertinent to xen-tools and xen-pvgrub.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 00:21:07 UTC 
@xen team: 4.2.2 is stable, can you verify whether the issues are fixed in this version?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 01:23:05 UTC 
Please confirm comment 4, as we are getting ready to release a GLSA and we would like to include this bug in to it if it is fixed.
Comment 6 Yixun Lan archtester gentoo-dev 2014-06-09 01:47:39 UTC 
(In reply to Yury German from comment #5)
> Please confirm comment 4, as we are getting ready to release a GLSA and we
> would like to include this bug in to it if it is fixed.

Yes, I've verified. This is already fixed in >=xen-4.2.1, check other xen ebuilds (4.3.x, 4.4.x) in portage which are *not* affected by this.

Thanks.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 03:42:36 UTC 
Thank you ... adding to existing GLSA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:22 UTC 
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).