From secunia security advisory at $URL and from the upstream advisory:
Two vulnerabilities have been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and gain escalated privileges.
1) An error when handling certain system calls can be exploited to gain additional privileges.
Successful exploitation of this vulnerability requires a 64-bit PV guest kernel running on a 64-bit hypervisor.
2) An error when handling exceptions does not properly clear a flag, which can be exploited to cause a crash.
Note: This vulnerability does not affect HVM guests.
The vulnerabilities are reported in versions 3.4, 4.0, and 4.1.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as
used in Citrix XenServer 6.0.2 and earlier and other products; Oracle
Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before
20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and
earlier; and Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold
and SP1, when running on an Intel processor, incorrectly uses the sysret
path in cases where a certain address is not a canonical address, which
allows local users to gain privileges via a crafted application. NOTE: this
description clearly does not belong in CVE, because a single entry cannot be
about independent codebases; however, there was some value in preserving the
original mapping of the multi-codebase coordinated-disclosure effort to a
These are now fixed in Xen 4.1.3.
Maintainers, please bump.
Please bump for this bug and bug 440768.
The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations
emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly
reset certain state information between emulation cycles, which allows local
guest OS users to cause a denial of service (guest OS crash) via unspecified
operations on MMIO regions.
Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does
not properly protect against a certain AMD processor bug, which allows local
guest OS users to cause a denial of service (host hang) via sequential
execution of instructions across a non-canonical boundary, a different
vulnerability than CVE-2012-0217.
Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a
syscall or sysenter instruction, does not properly clear a flag for
exception injection when injecting a General Protection Fault, which allows
local PV guest OS users to cause a denial of service (guest crash) by later
triggering an exception that would normally be handled within Xen.
well I bumped the xens to 4.2 1st. week of December
4.2 stable. Added to GLSA request.
This issue was resolved and addressed in
GLSA 201309-24 at http://security.gentoo.org/glsa/glsa-201309-24.xml
by GLSA coordinator Chris Reffett (creffett).