Red Hat Product Errata RHSA-2008:0194 - Security Advisory
Issued:
2008-05-13
Updated:
2008-05-13

RHSA-2008:0194 - Security Advisory

Synopsis

Important: xen security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated xen packages that fix several security issues and a bug are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

The xen packages contain tools for managing the virtual machine monitor in
Red Hat Virtualization.

These updated packages fix the following security issues:

Daniel P. Berrange discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the format of messages
serving to update the contents of the framebuffer. This could allow a
malicious user to cause a denial of service, or compromise the privileged
domain (Dom0). (CVE-2008-1944)

Markus Armbruster discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the frontend's framebuffer
description. This could allow a malicious user to cause a denial of
service, or to use a specially crafted frontend to compromise the
privileged domain (Dom0). (CVE-2008-1943)

Chris Wright discovered a security vulnerability in the QEMU block format
auto-detection, when running fully-virtualized guests. Such
fully-virtualized guests, with a raw formatted disk image, were able
to write a header to that disk image describing another format. This could
allow such guests to read arbitrary files in their hypervisor's host.
(CVE-2008-2004)

Ian Jackson discovered a security vulnerability in the QEMU block device
drivers backend. A guest operating system could issue a block device
request and read or write arbitrary memory locations, which could lead to
privilege escalation. (CVE-2008-0928)

Tavis Ormandy found that QEMU did not perform adequate sanity-checking of
data received via the "net socket listen" option. A malicious local
administrator of a guest domain could trigger this flaw to potentially
execute arbitrary code outside of the domain. (CVE-2007-5730)

Steve Kemp discovered that the xenbaked daemon and the XenMon utility
communicated via an insecure temporary file. A malicious local
administrator of a guest domain could perform a symbolic link attack,
causing arbitrary files to be truncated. (CVE-2007-3919)

As well, in the previous xen packages, it was possible for Dom0 to fail to
flush data from a fully-virtualized guest to disk, even if the guest
explicitly requested the flush. This could cause data integrity problems on
the guest. In these updated packages, Dom0 always respects the request to
flush to disk.

Users of xen are advised to upgrade to these updated packages, which
resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 350421 - CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
  • BZ - 360381 - CVE-2007-5730 QEMU Buffer overflow via crafted "net socket listen" option
  • BZ - 433560 - CVE-2008-0928 Qemu insufficient block device address range checking
  • BZ - 435495 - [RHEL5.2]: LTC41676-Xen full virt has data integrity issue
  • BZ - 443078 - CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description
  • BZ - 443390 - CVE-2008-1944 PVFB SDL backend chokes on bogus screen updates
  • BZ - 444583 - CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability

Red Hat Enterprise Linux Server 5

SRPM
xen-3.0.3-41.el5_1.5.src.rpm SHA-256: 8b8b9e047477b8f9db1060eb836b71f1e095f036bc4a012060434f09621483bf
x86_64
xen-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 180083c511510be140f59c4db132d2cce8acf8f0a5ee60537190cd93d0a5acd6
xen-devel-3.0.3-41.el5_1.5.i386.rpm SHA-256: 8d0b64727fa984053c721d48b6ce18b55b6958e96693dbbc10f76e79ed403dd2
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 494ac8272585f5288066d46d12b6611157a499e1d9738feac6cde926c5661083
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 4e1ae8bd709071c17d917f49296ccfe662436892f4da2c9d852760f7d938ca2f
ia64
xen-3.0.3-41.el5_1.5.ia64.rpm SHA-256: 850ee158771d5659998109a71486c733cd4a4ebb55c15b54ae4fdd0be8cee51b
xen-devel-3.0.3-41.el5_1.5.ia64.rpm SHA-256: 7a3f027bf79ae10c1938b0066460cf1061540363bbda501aef7e322a1f632c56
xen-libs-3.0.3-41.el5_1.5.ia64.rpm SHA-256: b7c468dc6f8d37a3cfeef2acb09a593240d531c0d8215e58f7014e3e366d6951
i386
xen-3.0.3-41.el5_1.5.i386.rpm SHA-256: edf54f0f55f9a6aa26d0bfa29ff9635bfbc1a0763dbf443eb514b795a45afe6b
xen-devel-3.0.3-41.el5_1.5.i386.rpm SHA-256: 8d0b64727fa984053c721d48b6ce18b55b6958e96693dbbc10f76e79ed403dd2
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
xen-3.0.3-41.el5_1.5.src.rpm SHA-256: 8b8b9e047477b8f9db1060eb836b71f1e095f036bc4a012060434f09621483bf
x86_64
xen-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 180083c511510be140f59c4db132d2cce8acf8f0a5ee60537190cd93d0a5acd6
xen-devel-3.0.3-41.el5_1.5.i386.rpm SHA-256: 8d0b64727fa984053c721d48b6ce18b55b6958e96693dbbc10f76e79ed403dd2
xen-devel-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 494ac8272585f5288066d46d12b6611157a499e1d9738feac6cde926c5661083
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 4e1ae8bd709071c17d917f49296ccfe662436892f4da2c9d852760f7d938ca2f
i386
xen-3.0.3-41.el5_1.5.i386.rpm SHA-256: edf54f0f55f9a6aa26d0bfa29ff9635bfbc1a0763dbf443eb514b795a45afe6b
xen-devel-3.0.3-41.el5_1.5.i386.rpm SHA-256: 8d0b64727fa984053c721d48b6ce18b55b6958e96693dbbc10f76e79ed403dd2
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643

Red Hat Enterprise Linux Desktop 5

SRPM
xen-3.0.3-41.el5_1.5.src.rpm SHA-256: 8b8b9e047477b8f9db1060eb836b71f1e095f036bc4a012060434f09621483bf
x86_64
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 4e1ae8bd709071c17d917f49296ccfe662436892f4da2c9d852760f7d938ca2f
i386
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643

Red Hat Enterprise Linux Server from RHUI 5

SRPM
xen-3.0.3-41.el5_1.5.src.rpm SHA-256: 8b8b9e047477b8f9db1060eb836b71f1e095f036bc4a012060434f09621483bf
x86_64
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643
xen-libs-3.0.3-41.el5_1.5.x86_64.rpm SHA-256: 4e1ae8bd709071c17d917f49296ccfe662436892f4da2c9d852760f7d938ca2f
i386
xen-libs-3.0.3-41.el5_1.5.i386.rpm SHA-256: 4a7f7fad1a007d3ba659db357be998b1afdefbd1401918b5f35225bcc56b1643

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.