196824 – app-emulation/xen-tools Insecure temporary file creation in xenmon.py (CVE-2007-3919)

Bug 196824 - app-emulation/xen-tools Insecure temporary file creation in xenmon.py (CVE-2007-3919)

Summary: app-emulation/xen-tools Insecure temporary file creation in xenmon.py (CVE-20...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://xenbits.xensource.com/xen-unst...
Whiteboard:	~3 [noglsa]
Keywords:

Duplicates (1):	196898 (view as bug list)
Depends on:
Blocks:

Reported:	2007-10-23 18:45 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2007-10-24 11:04 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 18:45:06 UTC

The xenbaked daemon and xenmon utility communicate via a mmap'ed
 shared file. Since this file is located in /tmp, unprivileged users
 can cause arbitrary files to be truncated by creating a symlink from
 the well-known /tmp filename to e.g., /etc/passwd.
 
 The fix is to place the shared file in a directory to which only root
 should have access (in this case /var/run/).
 
 This bug was reported, and the fix suggested, by Steve Kemp
 <skx@debian.org>. Thanks!
 
 Signed-off-by: Keir Fraser <keir@xensource.com>

Comment 1 Micheal Marineau (RETIRED) gentoo-dev

2007-10-23 19:11:46 UTC

Now fixed in:
xen-tools-3.0.4_p1-r2
xen-tools-3.1.0-r2
xen-tools-3.1.1-r1

Cheers,

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-23 19:38:36 UTC

Thx Michael for the quick response.

Comment 3 Sven Wegener gentoo-dev

2007-10-24 11:04:49 UTC

*** Bug 196898 has been marked as a duplicate of this bug. ***