RHSA-2008:0892: Important: xen security and bug fix update

First published: Wed Oct 01 2008(Updated: )

The xen packages contain tools for managing the virtual machine monitor in<br>Red Hat Virtualization.<br>It was discovered that the hypervisor's para-virtualized framebuffer (PVFB)<br>backend failed to validate the frontend's framebuffer description properly.<br>This could allow a privileged user in the unprivileged domain (DomU) to<br>cause a denial of service, or, possibly, elevate privileges to the<br>privileged domain (Dom0). (CVE-2008-1952)<br>A flaw was found in the QEMU block format auto-detection, when running<br>fully-virtualized guests and using Qemu images written on removable media<br>(USB storage, 3.5" disks). Privileged users of such fully-virtualized<br>guests (DomU), with a raw-formatted disk image, were able to write a header<br>to that disk image describing another format. This could allow such guests<br>to read arbitrary files in their hypervisor's host (Dom0). (CVE-2008-1945)<br>Additionally, the following bug is addressed in this update:<br><li> The qcow-create command terminated when invoked due to glibc bounds</li> checking on the realpath() function.<br>Users of xen are advised to upgrade to these updated packages, which<br>resolve these security issues and fix this bug.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/title
• agent/remedy
• agent/description
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2008:0892
• agent/software-canonical-lookup
• agent/event
• agent/trending
• agent/tags
• agent/source
• package-manager/redhat