Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00935.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00706.html
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00082.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10315
http://www.vupen.com/english/advisories/2007/1597
http://www.securityfocus.com/bid/23731
http://www.redhat.com/support/errata/RHSA-2007-0323.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:162
http://www.mandriva.com/security/advisories?name=MDKSA-2007:203
http://www.debian.org/security/2007/dsa-1384
http://www.debian.org/security/2007/dsa-1284
http://taviso.decsystem.org/virtsec.pdf
http://secunia.com/advisories/33568
http://secunia.com/advisories/30413
http://secunia.com/advisories/29129
http://secunia.com/advisories/27486
http://secunia.com/advisories/27103
http://secunia.com/advisories/27085
http://secunia.com/advisories/27047
http://secunia.com/advisories/25095
http://secunia.com/advisories/25073
http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html