Pkg xen devel - Jul 2008 - Bug#490409: CVE-2008-2004: privilege escalation

Package: xen-3
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xen-3.

CVE-2008-2004[0]:
| The drive_init function in QEMU 0.9.1 determines the format of a raw
| disk image based on the header, which allows local guest users to read
| arbitrary files on the host by modifying the header to identify a
| different format, which is used when the guest is restarted.

The patch for qemu can be found here[1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004
    http://security-tracker.debian.net/tracker/CVE-2008-2004

[1]
http://svn.savannah.gnu.org/viewvc/trunk/vl.c?root=qemu&r1=4277&r2=4276&pathrev=4277

At 1215850041 time_t, Steffen Joeris wrote:
> CVE-2008-2004[0]:
> | The drive_init function in QEMU 0.9.1 determines the format of a raw
> | disk image based on the header, which allows local guest users to read
> | arbitrary files on the host by modifying the header to identify a
> | different format, which is used when the guest is restarted.
> 
> The patch for qemu can be found here[1].
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
I took a look on Fedora repository, and I got
this for Fedora 7 (Xen 3.0):
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/xen/F-7/xen-qemu-block-no-auto-format.patch?root=extras&rev=1.1&sortby=date
this for Fedora 8 (Xen 3.1):
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/xen/F-8/xen-qemu-block-no-auto-format.patch?root=extras

Reading Xen 3.2.1 source code, I can't see any link with this format
stuff. However I can be wrong.

So I'm not sure sid/lenny version is vulnerable.

Cheers,
-- 
Julien Danjou
.''`.  Debian Developer
: :' : http://julien.danjou.info
`. `'  http://people.debian.org/~acid
  `-   9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20080802/008c06fe/attachment.pgp

severity 490409 important
thanks

On Sat, Jul 12, 2008 at 06:07:21PM +1000, Steffen Joeris
wrote:
> Package: xen-3
> Severity: grave
> Tags: security
> Justification: user security hole
A bug in a known-problematic subsystem does not make the whole package
unusable.

Bastian

Your message dated Wed, 01 Jul 2009 17:41:17 +0000
with message-id <E1MM3o5-0005Rt-Nz at ries.debian.org>
and subject line Bug#490409: fixed in xen-3 3.4.0-1
has caused the Debian Bug report #490409,
regarding CVE-2008-2004: privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
490409: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490409
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Steffen Joeris <steffen.joeris at skolelinux.de>
Subject: CVE-2008-2004: privilege escalation
Date: Sat, 12 Jul 2008 18:07:21 +1000
Size: 2336
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20090701/a6e9ed43/attachment.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: Bug#490409: fixed in xen-3 3.4.0-1
Date: Wed, 01 Jul 2009 17:41:17 +0000
Size: 6777
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20090701/a6e9ed43/attachment-0001.eml>