[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [oss-security] Xen Security Advisory 57 - libxl allows guest write access to sensitive console related xenstore keys



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2013 04:07 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-57 version 3
> 
> libxl allows guest write access to sensitive console related
> xenstore keys
> 
> UPDATES IN VERSION 3 ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION =================
> 
> The libxenlight (libxl) toolstack library does not correctly set 
> permissions on xenstore keys relating to paravirtualised and
> emulated serial console devices. This could allow a malicious
> guest administrator to change values in xenstore which the host
> later relies on being implicitly trusted.
> 
> This vulnerability has not yet been assigned a CVE Candidate number
> by MITRE.  We will issue an updated version of XSA-57 when this is 
> available.

Please use CVE-2013-2211 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRyfeuAAoJEBYNRVNeJnmThT8P/2Ehm4GlkwopiQeHAZ+sDICM
sG62vRRVrTl3NOvmIq1hhCum1CxSkriGsid+v2TDu9RXsyZ8bZHkbwUBdqcxJi0A
LxFnmvd/EfWMtdxzbdw5YclFQ3o8ajxpJ9K10NLcVy46Mfcr9ZUA86PdwTcAYUk5
PC9X/EGFXENq+v+PRs6SwuJQyUey39dz1C9w4/R/G7JqNwZMHbuwGJWjC32ExvE9
c4n9NpZCPeHt+xVj/9LPjCMZhVDttq+GRk3o00CBf3ruUYY5cWGbm0X2kZLiqb5/
E+XLdZULQtwdIW/GfAwyjIhO0516dvMYK/rBtZyOvwOTrXvJC95nMSg4BHXq+ae3
7NMAPMH9OF8ppBi3+8MyOh5bdQGu+Dq6v/OzobIcuJa7xXaq+S6B3xZuzQvXInwS
WYoaxYtRQoeL2lugxb08D70E4rMKJobCMqao+k9dEiLgyy7Y/OVfwq0Tmj2VJWur
Pzil1NBgcPGWA89AdMcVdTJa8RjEc6wbEaFIIRy0EqAGK4o4zjkghwl+19OQNO9A
g5hTtjCkJ+OiLHm1lmDnuIK3KJ6HIlDSfIp9qcpu9iu2fQVrVCYAoXRJ9w35gJCQ
xvxs/ytE9EyGysQXY7TFsgOnY9SWBUThQgCMUqO2Ylhc/9EaCVemy2J6YJI8yuuS
bCJ5Rs25sKay74ovVPeD
=jbfT
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.