[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-3.1-testing] xenmon: Fix security vulnerability CVE-2007-3919.

# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1193128091 -3600
# Node ID aabd605972394f27be773ad0f9a1a43fb1701883
# Parent  5714079b8202e8622671e381c089a7810cb81b09
xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx@xxxxxxxxxx>. Thanks!

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
xen-unstable changeset:   16157:b28ae5f00553ea053bd4e4576634d8ea49e77bc3
xen-unstable date:        Tue Oct 23 09:26:43 2007 +0100
---
 tools/xenmon/xenbaked.c |    2 +-
 tools/xenmon/xenmon.py  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff -r 5714079b8202 -r aabd60597239 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c   Sat Oct 20 09:36:31 2007 +0100
+++ b/tools/xenmon/xenbaked.c   Tue Oct 23 09:28:11 2007 +0100
@@ -593,7 +593,7 @@ error_t cmd_parser(int key, char *arg, s
     return 0;
 }
 
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
 void alloc_qos_data(int ncpu)
 {
     int i, n, pgsize, off=0;
diff -r 5714079b8202 -r aabd60597239 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py    Sat Oct 20 09:36:31 2007 +0100
+++ b/tools/xenmon/xenmon.py    Tue Oct 23 09:28:11 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
 QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + 
struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
 
 # location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
 
 # format strings
 TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.