Steve Kemp
2007-Oct-23 19:34 UTC
[Pkg-xen-devel] Bug#447795: xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss
Package: xen-utils-3.0.3-1 Version: 3.0.3-0-3 Severity: grave Tags: security Justification: user security hole Xen versions 3.x, and 3.1 contain a tool for processing Xen trace buffer information. This tool uses the static file /tmp/xenq-shm insecurely allowing a local user to truncate any local file when xenbaked or xenmon.py are invoked by root. Sample session: # setup. skx at vain:~$ ln -s /etc/passwd /tmp/xenq-shm # later. skx at vain:~$ sudo xenbaked # all gone. :( skx at vain:~$ ls -l /etc/passwd -rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd This flaw is known as CVE-2007-3919 by the common vulnerabilities and exposures project. As the filename needs to be shared between xenmon.py + xenbaked.c a "random" one cannot easily be generated. The solution that Debian will use for its security update is to create the file in a location which is only writable by root - /var/run. Security advisory will be released very soon. Steve -- -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-xen-amd64 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages xen-utils-3.0.3-1 depends on: ii iproute 20061002-3 Professional tools to control the ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libncurses5 5.5-5 Shared libraries for terminal hand ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12 register and build utility for Pyt ii udev 0.105-4 /dev/ and hotplug management daemo ii xen-utils-common 3.0.3-0-2 XEN administrative tools - common ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages xen-utils-3.0.3-1 recommends: ii bridge-utils 1.2-1 Utilities for configuring the Linu ii xen-hypervisor-3.0.3-1-amd64 3.0.3-0-3 The Xen Hypervisor on AMD64 -- no debconf information