Bug 350421 - (CVE-2007-3919) CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20071017,pu...
: Reopened, Security
Depends On: 361981 361991 362001 362011 387161 387171
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-24 08:47 EDT by Tomas Hoger
Modified: 2016-03-04 06:30 EST (History)
3 users (show)

See Also:
Fixed In Version: 3.1.0-8.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-25 06:19:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-10-24 08:47:17 EDT
Steve Kemp reported following problem affecting xenmon tools shipped with xen:

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

Fix has already been committed in upstream repository:
http://xenbits.xensource.com/xen-unstable.hg?rev/b28ae5f00553

Debian bug opened by Steve:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447795
Comment 7 Tomas Hoger 2007-10-29 15:32:29 EDT
The Red Hat Security Response Team has rated this issue as having low security
impact.  It can only be exploited by attacker with access to Dom0.  Such access
should be restricted to trusted Xen host administrators.  Moreover, those tools
have very limited user base.
Comment 11 Fedora Update System 2007-11-01 17:13:22 EDT
xen-3.1.0-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Red Hat Product Security 2008-07-25 06:19:21 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0194.html


Note You need to log in before you can comment on or make changes to this bug.