Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
http://secunia.com/advisories/25073
http://secunia.com/advisories/25095
http://secunia.com/advisories/27047
http://secunia.com/advisories/27085
http://secunia.com/advisories/27103
http://secunia.com/advisories/27486
http://secunia.com/advisories/29129
http://secunia.com/advisories/30413
http://secunia.com/advisories/33568
http://taviso.decsystem.org/virtsec.pdf
http://www.debian.org/security/2007/dsa-1284
http://www.debian.org/security/2007/dsa-1384
http://www.mandriva.com/security/advisories?name=MDKSA-2007:203
http://www.mandriva.com/security/advisories?name=MDVSA-2008:162
http://www.redhat.com/support/errata/RHSA-2007-0323.html
http://www.securityfocus.com/bid/23731
http://www.vupen.com/english/advisories/2007/1597
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10315
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00082.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00706.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00935.html