[Pkg-xen-devel] Bug#447795: xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss

Steve Kemp skx at debian.org
Tue Oct 23 19:34:24 UTC 2007 

Package: xen-utils-3.0.3-1
Version: 3.0.3-0-3
Severity: grave
Tags: security
Justification: user security hole


  Xen versions 3.x, and 3.1 contain a tool for processing Xen trace
 buffer information.

  This tool uses the static file /tmp/xenq-shm insecurely allowing
 a local user to truncate any local file when xenbaked or xenmon.py
 are invoked by root.

  Sample session:

    # setup.
    skx at vain:~$ ln -s /etc/passwd /tmp/xenq-shm

    # later.
    skx at vain:~$ sudo xenbaked

    # all gone.  :(
    skx at vain:~$ ls -l /etc/passwd
    -rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd

  This flaw is known as CVE-2007-3919 by the common vulnerabilities
 and exposures project.

  As the filename needs to be shared between xenmon.py + xenbaked.c
 a "random" one cannot easily be generated.  The solution that 
 Debian will use for its security update is to create the file in
 a location which is only writable by root - /var/run.

  Security advisory will be released very soon.

Steve
-- 
-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xen-utils-3.0.3-1 depends on:
ii  iproute                20061002-3        Professional tools to control the 
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  python                 2.4.4-2           An interactive high-level object-o
ii  python-central         0.5.12            register and build utility for Pyt
ii  udev                   0.105-4           /dev/ and hotplug management daemo
ii  xen-utils-common       3.0.3-0-2         XEN administrative tools - common 
ii  zlib1g                 1:1.2.3-13        compression library - runtime

Versions of packages xen-utils-3.0.3-1 recommends:
ii  bridge-utils                  1.2-1      Utilities for configuring the Linu
ii  xen-hypervisor-3.0.3-1-amd64  3.0.3-0-3  The Xen Hypervisor on AMD64

-- no debconf information

More information about the Pkg-xen-devel mailing list