Bug 350421 (CVE-2007-3919)

Summary: CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, kreilly, xen-maint
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.1.0-8.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 10:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 361981, 361991, 362001, 362011, 387161, 387171    
Bug Blocks:    

Description Tomas Hoger 2007-10-24 12:47:17 UTC 
Steve Kemp reported following problem affecting xenmon tools shipped with xen:

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

Fix has already been committed in upstream repository:
http://xenbits.xensource.com/xen-unstable.hg?rev/b28ae5f00553

Debian bug opened by Steve:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447795
Comment 7 Tomas Hoger 2007-10-29 19:32:29 UTC 
The Red Hat Security Response Team has rated this issue as having low security
impact.  It can only be exploited by attacker with access to Dom0.  Such access
should be restricted to trusted Xen host administrators.  Moreover, those tools
have very limited user base.
Comment 11 Fedora Update System 2007-11-01 21:13:22 UTC 
xen-3.1.0-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Red Hat Product Security 2008-07-25 10:19:21 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0194.html