Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to “attempting to mark non-existent regions as dirty,” aka the “bitblt” heap overflow.
lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
osvdb.org/35494
secunia.com/advisories/25073
secunia.com/advisories/25095
secunia.com/advisories/27047
secunia.com/advisories/27085
secunia.com/advisories/27103
secunia.com/advisories/27486
secunia.com/advisories/29129
secunia.com/advisories/30413
secunia.com/advisories/33568
taviso.decsystem.org/virtsec.pdf
www.debian.org/security/2007/dsa-1284
www.debian.org/security/2007/dsa-1384
www.mandriva.com/security/advisories?name=MDKSA-2007:203
www.mandriva.com/security/advisories?name=MDVSA-2008:162
www.redhat.com/support/errata/RHSA-2007-0323.html
www.securityfocus.com/bid/23731
www.vupen.com/english/advisories/2007/1597
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10315
www.redhat.com/archives/fedora-package-announce/2007-October/msg00082.html
www.redhat.com/archives/fedora-package-announce/2008-May/msg00706.html
www.redhat.com/archives/fedora-package-announce/2008-May/msg00935.html