rpms/xen/devel xen-baked-tmpfile.patch, NONE, 1.1 xen.spec, 1.194, 1.195
Daniel P. Berrange (berrange)
fedora-extras-commits at redhat.com
Fri Oct 26 16:41:09 UTC 2007
Author: berrange
Update of /cvs/pkgs/rpms/xen/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv886
Modified Files:
xen.spec
Added Files:
xen-baked-tmpfile.patch
Log Message:
Fixed xenbaked tmpfile flaw (CVE-2007-3919)
xen-baked-tmpfile.patch:
--- NEW FILE xen-baked-tmpfile.patch ---
changeset: 16157:b28ae5f00553
tag: tip
user: Keir Fraser <keir at xensource.com>
date: Tue Oct 23 09:26:43 2007 +0100
files: tools/xenmon/xenbaked.c tools/xenmon/xenmon.py
description:
xenmon: Fix security vulnerability CVE-2007-3919.
The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.
The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).
This bug was reported, and the fix suggested, by Steve Kemp
<skx at debian.org>. Thanks!
Signed-off-by: Keir Fraser <keir at xensource.com>
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenbaked.c
--- a/tools/xenmon/xenbaked.c Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenbaked.c Tue Oct 23 09:26:43 2007 +0100
@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
return 0;
}
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
void alloc_qos_data(int ncpu)
{
int i, n, pgsize, off=0;
diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenmon.py
--- a/tools/xenmon/xenmon.py Mon Oct 22 21:06:11 2007 +0100
+++ b/tools/xenmon/xenmon.py Tue Oct 23 09:26:43 2007 +0100
@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
# location of mmaped file, hard coded right now
-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
# format strings
TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
Index: xen.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xen/devel/xen.spec,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- xen.spec 11 Oct 2007 00:47:59 -0000 1.194
+++ xen.spec 26 Oct 2007 16:40:36 -0000 1.195
@@ -3,7 +3,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 3.1.0
-Release: 12%{?dist}
+Release: 13%{?dist}
Group: Development/Libraries
License: GPL
URL: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -32,6 +32,7 @@
Patch34: xen-3.1.0-no-xenapi-docs.patch
Patch35: xen-qemu-rtl8139-checksum.patch
Patch36: xen-qemu-bootmenu.patch
+Patch37: xen-baked-tmpfile.patch
# Patches to modify the default config of xend
Patch100: xen-config-dom0-minmem.patch
@@ -143,6 +144,7 @@
%patch34 -p1
%patch35 -p1
%patch36 -p1
+%patch37 -p1
# config patches
%patch100 -p1
@@ -293,6 +295,9 @@
%{_libdir}/*.a
%changelog
+* Fri Oct 26 2007 Daniel P. Berrange <berrange at redhat.com> - 3.1.0-13.fc9
+- Fixed xenbaked tmpfile flaw (CVE-2007-3919)
+
* Wed Oct 10 2007 Daniel P. Berrange <berrange at redhat.com> - 3.1.0-12.fc8
- Pull in QEMU BIOS boot menu patch from KVM package
- Fix QEMU patch for locating x509 certificates based on command line args
More information about the fedora-extras-commits
mailing list