Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xen 3.2,
3.3, 4.0, and 4.1 allow local users to cause a denial of service and
possibly execute arbitrary code via a crafted paravirtualised guest kernel
image that triggers (1) a buffer overflow during a decompression loop or (2)
an out-of-bounds read in the loader involving unspecified length fields.
Despite the CVE text, a patch for 3.4 can be found in the references.
Please check if our latest stable 3.4 version is still affected by this and provide an updated ebuild. Also, for the future 4.1 stable, please check if that is affected too.
tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allows
local users to cause a denial of service (management software infinite loop
and management domain resource consumption) via unspecified vectors related
to "Lack of error checking in the decompression loop."
Created attachment 289345 [details, diff]
re-written patch for xen-3, xen-3.4.2-sec-2011-1583.patch
Created attachment 289347 [details, diff]
revised ebuild patch to bump to xen-3.4.2-r4
patch adds the two sec patches + a copy of the fix for /.config dir
Oh, forgot to mention, the patch is not required for xen-4.
The content is already in the source.
+*xen-3.4.2-r4 (11 Oct 2011)
+ 11 Oct 2011; Tony Vroon <email@example.com> +xen-3.4.2-r4.ebuild,
+ Patches by Ian "idella4" Delaney to address security bugs #385319 and
Stabilisation efforts in bug #385319.
Stabilization completed in bug 385319.
GLSA vote: yes.
Thanks, folks. GLSA Vote: yes; bug added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml
by GLSA coordinator Chris Reffett (creffett).