Red Hat Bugzilla – Bug 350421
CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss
Last modified: 2016-03-04 06:30:22 EST
Steve Kemp reported following problem affecting xenmon tools shipped with xen:
The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.
The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).
Fix has already been committed in upstream repository:
Debian bug opened by Steve:
The Red Hat Security Response Team has rated this issue as having low security
impact. It can only be exploited by attacker with access to Dom0. Such access
should be restricted to trusted Xen host administrators. Moreover, those tools
have very limited user base.
xen-3.1.0-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: