Bug 350421 - (CVE-2007-3919) CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 361981 361991 362001 362011 387161 387171
  Show dependency treegraph
Reported: 2007-10-24 08:47 EDT by Tomas Hoger
Modified: 2016-03-04 06:30 EST (History)
3 users (show)

See Also:
Fixed In Version: 3.1.0-8.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-25 06:19:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-10-24 08:47:17 EDT
Steve Kemp reported following problem affecting xenmon tools shipped with xen:

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

Fix has already been committed in upstream repository:

Debian bug opened by Steve:
Comment 7 Tomas Hoger 2007-10-29 15:32:29 EDT
The Red Hat Security Response Team has rated this issue as having low security
impact.  It can only be exploited by attacker with access to Dom0.  Such access
should be restricted to trusted Xen host administrators.  Moreover, those tools
have very limited user base.
Comment 11 Fedora Update System 2007-11-01 17:13:22 EDT
xen-3.1.0-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Red Hat Product Security 2008-07-25 06:19:21 EDT
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.