From secunia security advisory at $URL and from the upstream advisory: http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html http://lists.xen.org/archives/html/xen-announce/2012-06/msg00003.html Description Two vulnerabilities have been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and gain escalated privileges. 1) An error when handling certain system calls can be exploited to gain additional privileges. Successful exploitation of this vulnerability requires a 64-bit PV guest kernel running on a 64-bit hypervisor. 2) An error when handling exceptions does not properly clear a flag, which can be exploited to cause a crash. Note: This vulnerability does not affect HVM guests. The vulnerabilities are reported in versions 3.4, 4.0, and 4.1.
CVE-2012-0217 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217): The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; and Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: this description clearly does not belong in CVE, because a single entry cannot be about independent codebases; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
These are now fixed in Xen 4.1.3. http://lists.xen.org/archives/html/xen-announce/2012-08/msg00001.html Maintainers, please bump.
Maintainers: ping Please bump for this bug and bug 440768.
CVE-2012-3432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432): The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions. CVE-2012-2934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934): Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does not properly protect against a certain AMD processor bug, which allows local guest OS users to cause a denial of service (host hang) via sequential execution of instructions across a non-canonical boundary, a different vulnerability than CVE-2012-0217. CVE-2012-0218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218): Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a syscall or sysenter instruction, does not properly clear a flag for exception injection when injecting a General Protection Fault, which allows local PV guest OS users to cause a denial of service (guest crash) by later triggering an exception that would normally be handled within Xen.
well I bumped the xens to 4.2 1st. week of December
4.2 stable. Added to GLSA request.
This issue was resolved and addressed in GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml by GLSA coordinator Chris Reffett (creffett).
