|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen Security Advisory 99 - unexpected pitfall in xenaccess API
(dropping announce lists) On Tue, 2014-06-17 at 06:50 -0700, Andres Lagar Cavilla wrote: > The helper would have been thrown off balance, and failed to audit > something at worst. Maybe this means a security problem down the line > for that helper toolchain, but outside the purview of the hypervisor. The purpose of this advisory was to provide a heads up to the authors of those toolchains so that they could check for such issues in their code. I think you need to reread the advisory, especially the IMPACT and VULNERABLE SYSTEMS sections, which I think make it pretty clear that the issue is 3rd party consumers of the xenaccess API which may have inadvertently implemented vulnerable code by following the example. > I see how helpers may be thrown totally off balance. I see self-DoS, > but still do not see privilege escalation happening. We don't know what people have implemented using these mechanisms. Are you so confident that you can completely rule it out for 100% of those use cases? The right thing for us to do was to warn people, so that is what we have done. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |