SB2012110202 - Input validation error in xen (Alpine package)
Published: November 2, 2012
Security Bulletin ID
SB2012110202
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2012-4544)
The vulnerability allows a local non-authenticated attacker to perform service disruption.
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=119185999980a6a6a78506a6b49e1a70ab55ad03
- https://git.alpinelinux.org/aports/commit/?id=a11d8b693286b605b2dfa17cbd3556eac2b951a0
- https://git.alpinelinux.org/aports/commit/?id=4be65a1c37ff21c3fec2e78bca2dd7b75dee98b9
- https://git.alpinelinux.org/aports/commit/?id=d624497503dfe70fcb678e9541505c2f095875fd