Bugzilla Bug 196898

author:         Keir Fraser <keir@xensource.com>
date:   Tue Oct 23 09:26:43 2007 +0100 (24 hours ago)
files:  tools/xenmon/xenbaked.c tools/xenmon/xenmon.py
description:    xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx@debian.org>. Thanks!

Signed-off-by: Keir Fraser <keir@xensource.com>

--- a/tools/xenmon/xenbaked.c   Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenbaked.c   Tue Oct 23 09:26:43 2007 +0100
@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
     return 0;
 }

-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
 void alloc_qos_data(int ncpu)
 {
     int i, n, pgsize, off=0;

--- a/tools/xenmon/xenmon.py    Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenmon.py    Tue Oct 23 09:26:43 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
 QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES +
struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")

 # location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"

 # format strings
 TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"

*** This bug has been marked as a duplicate of bug 196824 ***

marineam is just too fast for us to track xen bugs.
(and sven too fast for me)