[Xen-changelog] [xen-3.1-testing] Fix security vulnerability CVE-2007-4993.

["Xen patchbot-3.1-testing" <patchbot-3.1-testing@xxxxxxxxxxxxxxxxxxx>]

# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1190709614 -3600
# Node ID e441bb07066c826bd74b057768cfa916f558ceec
# Parent  02a3eb16f695503c5355885aecb07b32f58db41e
Fix security vulnerability CVE-2007-4993.

Protect pygrub from possible malicious content in guest grub
config file.  This fixes CVE-2007-4993.  Original patch from
Jeremy Katz, I updated to close 2 remaining issues pointed out
by Christian and Keir, and to use setattr(self, ...).

Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
xen-unstable changeset:   15953:70bb28b62ffb01d929166a5a37129efc5445c593
xen-unstable date:        Tue Sep 25 09:34:36 2007 +0100
---
 tools/pygrub/src/GrubConf.py |   28 ++++++++++++++--------------
 tools/pygrub/src/LiloConf.py |   16 ++++++++--------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff -r 02a3eb16f695 -r e441bb07066c tools/pygrub/src/GrubConf.py
--- a/tools/pygrub/src/GrubConf.py      Mon Sep 24 21:50:00 2007 +0100
+++ b/tools/pygrub/src/GrubConf.py      Tue Sep 25 09:40:14 2007 +0100
@@ -101,7 +101,7 @@ class GrubImage(object):
 
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                setattr(self, self.commands[com], arg.strip())
             else:
                 logging.info("Ignored image directive %s" %(com,))
         else:
@@ -142,11 +142,11 @@ class GrubImage(object):
     initrd = property(get_initrd, set_initrd)
 
     # set up command handlers
-    commands = { "title": "self.title",
-                 "root": "self.root",
-                 "rootnoverify": "self.root",
-                 "kernel": "self.kernel",
-                 "initrd": "self.initrd",
+    commands = { "title": "title",
+                 "root": "root",
+                 "rootnoverify": "root",
+                 "kernel": "kernel",
+                 "initrd": "initrd",
                  "chainloader": None,
                  "module": None}
         
@@ -195,7 +195,7 @@ class GrubConfigFile(object):
             (com, arg) = grub_exact_split(l, 2)
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
-                    exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                    setattr(self, self.commands[com], arg.strip())
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:
@@ -208,7 +208,7 @@ class GrubConfigFile(object):
         (com, arg) = grub_exact_split(line, 2)
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                setattr(self, self.commands[com], arg.strip())
             else:
                 logging.info("Ignored directive %s" %(com,))
         else:
@@ -236,12 +236,12 @@ class GrubConfigFile(object):
     splash = property(get_splash, set_splash)
 
     # set up command handlers
-    commands = { "default": "self.default",
-                 "timeout": "self.timeout",
-                 "fallback": "self.fallback",
-                 "hiddenmenu": "self.hiddenmenu",
-                 "splashimage": "self.splash",
-                 "password": "self.password" }
+    commands = { "default": "default",
+                 "timeout": "timeout",
+                 "fallback": "fallback",
+                 "hiddenmenu": "hiddenmenu",
+                 "splashimage": "splash",
+                 "password": "password" }
     for c in ("bootp", "color", "device", "dhcp", "hide", "ifconfig",
               "pager", "partnew", "parttype", "rarp", "serial",
               "setkey", "terminal", "terminfo", "tftpserver", "unhide"):
diff -r 02a3eb16f695 -r e441bb07066c tools/pygrub/src/LiloConf.py
--- a/tools/pygrub/src/LiloConf.py      Mon Sep 24 21:50:00 2007 +0100
+++ b/tools/pygrub/src/LiloConf.py      Tue Sep 25 09:40:14 2007 +0100
@@ -30,7 +30,7 @@ class LiloImage(object):
 
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\'%s\'" %(self.commands[com], re.sub('^"(.+)"$', 
r"\1", arg.strip())))
+                setattr(self, self.commands[com], re.sub('^"(.+)"$', r"\1", 
arg.strip()))
             else:
                 logging.info("Ignored image directive %s" %(com,))
         else:
@@ -56,12 +56,12 @@ class LiloImage(object):
     initrd = property(get_initrd, set_initrd)
 
     # set up command handlers
-    commands = { "label": "self.title",
-                 "root": "self.root",
-                 "rootnoverify": "self.root",
-                 "image": "self.kernel",
-                 "initrd": "self.initrd",
-                 "append": "self.args",
+    commands = { "label": "title",
+                 "root": "root",
+                 "rootnoverify": "root",
+                 "image": "kernel",
+                 "initrd": "initrd",
+                 "append": "args",
                  "read-only": None,
                  "chainloader": None,
                  "module": None}
@@ -111,7 +111,7 @@ class LiloConfigFile(object):
             (com, arg) = GrubConf.grub_exact_split(l, 2)
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
-                    exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                    setattr(self, self.commands[com], arg.strip())
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog