Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489216 (CVE-2013-4344) - app-emulation/xen: Privilege escalation (CVE-2013-4344)
Summary: app-emulation/xen: Privilege escalation (CVE-2013-4344)
Alias: CVE-2013-4344
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [noglsa]
Depends on:
Reported: 2013-10-24 00:26 UTC by GLSAMaker/CVETool Bot
Modified: 2015-04-05 04:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:26:30 UTC
CVE-2013-4344 (
  Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a
  SCSI controller has more than 256 attached devices, allows local users to
  gain privileges via a small transfer buffer in a REPORT LUNS command.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2013-11-06 10:03:43 UTC
qemu contains a possible buffer overflow ..............


Xen systems do not use the qemu SCSI code by default.


Only Xen systems whose administrators have deliberately configured HVM
guests to have emulated SCSI controllers, and where those guests are
provided with more than 256 devices, are vulnerable.

We are not aware of any such systems.

So what is it we have here?  A white elephant or is it a red herring?  To my understanding this reads as a qemu security issue.  xen uses qemu which was qemu-kvm which is again qemu I think... and then it has the options qemu-xen vs. xemu-xen-traditional. lists NO PATCH.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 04:00:39 UTC
Confirmed by Maintainer:
bug in qemu, NO patch for xen (no action for us)

Closing Invalid.