[Oraclevm-errata] OVMSA-2012-0039 Important: Oracle VM 3.1 xen Security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Sep 5 09:42:06 PDT 2012 

Oracle VM Security Advisory OVMSA-2012-0039

The following updated rpms for Oracle VM 3.1 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
xen-4.1.2-18.el5.14.x86_64.rpm
xen-devel-4.1.2-18.el5.14.x86_64.rpm
xen-tools-4.1.2-18.el5.14.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.1/SRPMS-updates/xen-4.1.2-18.el5.14.src.rpm 




Description of changes:

[4.1.2-18.el5.14]
- console: bounds check whenever changing the cursor due to an escape code
   The device model used by fully virtualised (HVM) domains, qemu, does
   not properly handle escape VT100 sequences when emulating certain
   devices with a virtual console backend.
   Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
14555087] {CVE-2012-3515}

[4.1.2-18.el5.13]
- x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
   PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check
   map->index.
   This is being used as a array index, and hence must be validated before
   use.
   A malicious HVM guest kernel can crash the host.  It might also be
   able to read hypervisor or guest memory.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
14555053] {CVE-2012-3496}

[4.1.2-18.el5.12]
- xen: Don't BUG_ON() PoD operations on a non-translated guest.
   XENMEM_populate_physmap can be called with invalid flags.  By calling
   it with MEMF_populate_on_demand flag set, a BUG can be triggered if a
   translating paging mode is not being used.
   Signed-off-by: Tim Deegan <tim at xen.org>
   Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
   Tested-by: Ian Campbell <ian.campbell at citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
14555002] {CVE-2012-3496}

[4.1.2-18.el5.11]
- xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
   PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
   succeeded, and if it fails will use the error code as an array index.
   Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
   Signed-off-by: Jan Beulich <JBeulich at suse.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
14554982] {CVE-2012-3495}

[4.1.2-18.el5.10]
- xen: prevent a 64 bit guest setting reserved bits in DR7
   The upper 32 bits of this register are reserved and should be written 
as zero.
   Signed-off-by: Jan Beulich <jbeulich at suse.com>
   Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
   Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug 
14554864] {CVE-2012-3494}

More information about the Oraclevm-errata mailing list