WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] xenmon: Fix security vulnerability CVE-20

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] xenmon: Fix security vulnerability CVE-2007-3919.
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Oct 2007 06:10:07 -0700
Delivery-date: Tue, 23 Oct 2007 06:10:26 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193128003 -3600
# Node ID b28ae5f00553ea053bd4e4576634d8ea49e77bc3
# Parent  118a21c66fd53a08d7191159e5b2888f8d9e4ad2
xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx@xxxxxxxxxx>. Thanks!

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
 tools/xenmon/xenbaked.c |    2 +-
 tools/xenmon/xenmon.py  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c   Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenbaked.c   Tue Oct 23 09:26:43 2007 +0100
@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
     return 0;
 }
 
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
 void alloc_qos_data(int ncpu)
 {
     int i, n, pgsize, off=0;
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py    Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenmon.py    Tue Oct 23 09:26:43 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
 QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + 
struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
 
 # location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
 
 # format strings
 TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] xenmon: Fix security vulnerability CVE-2007-3919., Xen patchbot-unstable <=