Steve Kemp reported following problem affecting xenmon tools shipped with xen: The xenbaked daemon and xenmon utility communicate via a mmap'ed shared file. Since this file is located in /tmp, unprivileged users can cause arbitrary files to be truncated by creating a symlink from the well-known /tmp filename to e.g., /etc/passwd. The fix is to place the shared file in a directory to which only root should have access (in this case /var/run/). Fix has already been committed in upstream repository: http://xenbits.xensource.com/xen-unstable.hg?rev/b28ae5f00553 Debian bug opened by Steve: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447795
The Red Hat Security Response Team has rated this issue as having low security impact. It can only be exploited by attacker with access to Dom0. Such access should be restricted to trusted Xen host administrators. Moreover, those tools have very limited user base.
xen-3.1.0-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0194.html