GLSA 202009-14: Xen: Buffer overflow

Severity:	normal
Title:	Xen: Buffer overflow
Date:	09/29/2020
Bugs:	#738040
ID:	202009-14

Synopsis

A buffer overflow in Xen might allow remote attacker(s) to execute arbitrary code.

Background

Xen is a bare-metal hypervisor.

Affected packages

Package	Vulnerable	Unaffected	Architecture(s)
app-emulation/xen-tools	< 4.13.1-r3	>= 4.13.1-r3	All supported architectures
app-emulation/xen	< 4.13.1-r3	>= 4.13.1-r3	All supported architectures

Description

An out-of-bounds read/write access issue was found in the USB emulator when using QEMU.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Xen users should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.13.1-r3"
    

All Xen tools users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-tools-4.13.1-r3"

References

• XSA-335
• CVE-2020-14364

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-202009-14.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.