WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-3.1-testing] xenmon: Fix security vulnerability CVE

from [Xen patchbot-3.1-testing] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-3.1-testing] xenmon: Fix security vulnerability CVE-2007-3919.
From: "Xen patchbot-3.1-testing" <patchbot-3.1-testing@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Oct 2007 11:50:18 -0700
Delivery-date: Tue, 23 Oct 2007 11:50:37 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193128091 -3600
# Node ID aabd605972394f27be773ad0f9a1a43fb1701883
# Parent  5714079b8202e8622671e381c089a7810cb81b09
xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx@xxxxxxxxxx>. Thanks!

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
xen-unstable changeset:   16157:b28ae5f00553ea053bd4e4576634d8ea49e77bc3
xen-unstable date:        Tue Oct 23 09:26:43 2007 +0100
---
 tools/xenmon/xenbaked.c |    2 +-
 tools/xenmon/xenmon.py  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff -r 5714079b8202 -r aabd60597239 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c   Sat Oct 20 09:36:31 2007 +0100
+++ b/tools/xenmon/xenbaked.c   Tue Oct 23 09:28:11 2007 +0100
@@ -593,7 +593,7 @@ error_t cmd_parser(int key, char *arg, s
     return 0;
 }
 
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
 void alloc_qos_data(int ncpu)
 {
     int i, n, pgsize, off=0;
diff -r 5714079b8202 -r aabd60597239 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py    Sat Oct 20 09:36:31 2007 +0100
+++ b/tools/xenmon/xenmon.py    Tue Oct 23 09:28:11 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
 QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + 
struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
 
 # location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
 
 # format strings
 TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-3.1-testing] xenmon: Fix security vulnerability CVE-2007-3919., Xen patchbot-3.1-testing <=
Previous by Date:  [Xen-changelog] [xen-3.1-testing] Avoid passing uninitialised ACPI tables to dom0 when checksums fail., Xen patchbot-3.1-testing
Next by Date:  [Xen-changelog] [xen-3.1-testing] x86: Fix EFLAGS adjustment for emulated instructions., Xen patchbot-3.1-testing
Previous by Thread:  [Xen-changelog] [xen-3.1-testing] Avoid passing uninitialised ACPI tables to dom0 when checksums fail., Xen patchbot-3.1-testing
Next by Thread:  [Xen-changelog] [xen-3.1-testing] x86: Fix EFLAGS adjustment for emulated instructions., Xen patchbot-3.1-testing
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy