Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201402061723.s16HNeb9013898@linus.mitre.org>
Date: Thu, 6 Feb 2014 12:23:40 -0500 (EST)
From: cve-assign@...re.org
To: security@....org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We can provide the three CVE assignments for XSA-84 (as well as the
one CVE assignment for XSA-85 and the one CVE assignment for XSA-86).
However, could you please clarify:

> http://xenbits.xen.org/xsa/advisory-84.html

> UPDATES IN VERSION 2
> ====================
> 
> Public release.
> 
> The patch for 4.1 was extended to cover a few further similar issues.

Here, was the original scope of "The patch for 4.1" (before it was
extended) exclusively:

  "a different overflow issue on FLASK_{GET,SET}BOOL and expose
   unreasonably large memory allocation to arbitrary guests"

? Or do you mean that, originally, the "patch for 4.1" addressed
another vulnerability, and this "different overflow issue" was one of
the version-2 extensions to the scope of XSA-84?

Incidentally, we believe we need three CVE IDs for the current XSA-84
content because of:

> The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID
> suboperations of the flask hypercall are vulnerable to an integer
> overflow on the input size. The hypercalls attempt to allocate a
> buffer which is 1 larger than this size and is therefore vulnerable to
> integer overflow and an attempt to allocate then access a zero byte
> buffer.

the first CVE assignment will cover this


> Xen 3.3 through 4.1, while not affected by the above overflow, have a
> different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably
> large memory allocation to arbitrary guests.

a second CVE assignment will cover this second integer overflow (with
different affected versions than the first)


> Xen 3.2 (and presumably earlier) exhibit both problems, with the
> overflow issue being present for more than just the suboperations
> listed above.

the part of the 3.2 vulnerability associated with the first overflow,
for FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID, is
within the scope of the first CVE

the part of the 3.2 vulnerability associated with the second overflow,
for FLASK_{GET,SET}BOOL, is within the scope of the second CVE

all other vectors (e.g., other suboperations) that are applicable in
3.2, even if they are related to the first overflow or related to the
second overflow, will be covered by a third CVE

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS88RMAAoJEKllVAevmvmsHswIAMj0ZV70iAQsQPFw88gK8CfH
1l6e9PovP48waIROyLbsrJhlSe4ql5IWzMRVNosMrq/WStcF/bGXIKISV/VV5oEg
50AxrOI0U+aFNhIlkuOSfC+yuvMzwydPUPNCNZg/Oqxj0C9fzLkkWVlzvosqbwGm
24KuCbgKQKvFWHtadpLTSW3DNjfTS+YAol5PM1W4fJD2rLgYVyaOy/sh1JI2kdKy
RpsHH0uEmdf/8YdimJ4beFoxIzJVdnRbqsNIbJVudb9C4GpOK5NLdC+DNrUSIncP
hE2US1pv5W/VbAbUuy3kvEDe9HWW70yVkyXrWB9vDWhUDsLjiTgGN3doMtI1vds=
=xd2a
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.