rpms/xen/F-7 xen-baked-tmpfile.patch,NONE,1.1 xen.spec,1.187,1.188

Daniel P. Berrange (berrange) fedora-extras-commits at redhat.com
Fri Oct 26 16:38:35 UTC 2007 

Author: berrange

Update of /cvs/pkgs/rpms/xen/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv784

Modified Files:
	xen.spec 
Added Files:
	xen-baked-tmpfile.patch 
Log Message:
Fixed xenbaked tmpfile flaw (CVE-2007-3919)

xen-baked-tmpfile.patch:

--- NEW FILE xen-baked-tmpfile.patch ---
changeset:   16157:b28ae5f00553
tag:         tip
user:        Keir Fraser <keir at xensource.com>
date:        Tue Oct 23 09:26:43 2007 +0100
files:       tools/xenmon/xenbaked.c tools/xenmon/xenmon.py
description:
xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx at debian.org>. Thanks!

Signed-off-by: Keir Fraser <keir at xensource.com>


diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c	Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenbaked.c	Tue Oct 23 09:26:43 2007 +0100
@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
     return 0;
 }
 
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
 void alloc_qos_data(int ncpu)
 {
     int i, n, pgsize, off=0;
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py	Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenmon.py	Tue Oct 23 09:26:43 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
 QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
 
 # location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
 
 # format strings
 TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"



Index: xen.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xen/F-7/xen.spec,v
retrieving revision 1.187
retrieving revision 1.188
diff -u -r1.187 -r1.188
--- xen.spec	27 Sep 2007 03:37:52 -0000	1.187
+++ xen.spec	26 Oct 2007 16:38:01 -0000	1.188
@@ -3,7 +3,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 3.1.0
-Release: 7%{dist}
+Release: 8%{dist}
 Group:   Development/Libraries
 License: GPL
 URL:     http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -29,6 +29,8 @@
 Patch34: xen-3.1.0-no-xenapi-docs.patch
 Patch35: xen-qemu-rtl8139-checksum.patch
 
+Patch37: xen-baked-tmpfile.patch
+
 # Patches to modify the default config of xend
 Patch100: xen-config-dom0-minmem.patch
 Patch102: xen-3.0.2-config-allow-unix-server.patch
@@ -139,6 +141,8 @@
 %patch34 -p1
 %patch35 -p1
 
+%patch37 -p1
+
 # config patches
 %patch100 -p1
 %patch102 -p1
@@ -291,6 +295,9 @@
 %{_libdir}/*.a
 
 %changelog
+* Fri Oct 26 2007 Daniel P. Berrange <berrange at redhat.com> - 3.1.0-8.fc7
+- Fixed xenbaked tmpfile flaw (CVE-2007-3919)
+
 * Wed Sep 26 2007 Daniel P. Berrange <berrange at redhat.com> - 3.1.0-7.fc7
 - Fixed rtl8139 checksum calculation for Vista (rhbz #308201)

More information about the fedora-extras-commits mailing list