LWN.net Logo

Advertisement

GStreamer Conference 2013, 22-23 Oct, Edinburgh

GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

xen: multiple vulnerabilities

Package(s):xen CVE #(s):CVE-2013-2194 CVE-2013-2195 CVE-2013-2196
Created:June 24, 2013 Updated:June 26, 2013
Description: From the Xen advisory:

The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems.

A malicious PV domain administrator who can specify their own kernel can escalate their privilege to that of the domain construction tools (i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to supply their own firmware ("hvmloader") can do likewise; however we think this would be very unusual and it is unlikely that such configurations exist in production systems.

Alerts:
Fedora FEDORA-2013-10941 2013-06-24
Fedora FEDORA-2013-10929 2013-06-24
Mageia MGASA-2013-0197 2013-07-01
SUSE SUSE-SU-2013:1314-1 2013-08-09
Gentoo 201309-24 2013-09-27
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds