Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440768 (CVE-2012-2625) - app-emulation/xen-4.2.1: domain builder Out-of-memory due to malicious kernel/ramdisk (CVE-2012-{2625,4544})
Summary: app-emulation/xen-4.2.1: domain builder Out-of-memory due to malicious kernel...
Status: RESOLVED FIXED
Alias: CVE-2012-2625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 16:08 UTC by Agostino Sarubbo
Modified: 2014-07-16 16:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 16:08:45 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=870412 :

The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk 
either before or after decompression. This could cause the toolstack to consume all available RAM 
in the domain running the domain builder.

A malicious guest administrator who can supply a kernel or ramdisk can exhaust memory in domain 0 
leading to a denial of service attack.

HVM guests are not affected by this vulnerability.

Reference:
http://lists.xen.org/archives/html/xen-devel/2012-10/msg02015.html
http://www.openwall.com/lists/oss-security/2012/10/26/3

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:40:14 UTC
CVE-2012-4544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4544):
  The PV domain builder in Xen 4.2 and earlier does not validate the size of
  the kernel or ramdisk (1) before or (2) after decompression, which allows
  local guest administrators to cause a denial of service (domain 0 memory
  consumption) via a crafted (a) kernel or (b) ramdisk.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:47:51 UTC
CVE-2012-2625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2625):
  The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe,
  4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial
  of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed
  kernel image.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2013-01-31 07:28:40 UTC
right; 
CVE-2012-2625 XSA-25 content is in place      in the xensource code in >=4.2.0.  CVE-2012-4544 XSA-25 patch takes once applied to the xensource code in >=4.2.0.

CVE-2012-2625 XSA-25 will become obsolete on the stabilising of xen-4.2.0.
CVE-2012-4544 XSA-25 is currently valid and pertinent to xen-tools and xen-pvgrub.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-29 00:21:07 UTC
@xen team: 4.2.2 is stable, can you verify whether the issues are fixed in this version?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 01:23:05 UTC
Please confirm comment 4, as we are getting ready to release a GLSA and we would like to include this bug in to it if it is fixed.
Comment 6 Yixun Lan gentoo-dev 2014-06-09 01:47:39 UTC
(In reply to Yury German from comment #5)
> Please confirm comment 4, as we are getting ready to release a GLSA and we
> would like to include this bug in to it if it is fixed.

Yes, I've verified. This is already fixed in >=xen-4.2.1, check other xen ebuilds (4.3.x, 4.4.x) in portage which are *not* affected by this.

Thanks.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 03:42:36 UTC
Thank you ... adding to existing GLSA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:22 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).