Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>: Bug#447795; Package xen-utils-3.0.3-1.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Package: xen-utils-3.0.3-1
Version: 3.0.3-0-3
Severity: grave
Tags: security
Justification: user security hole
Xen versions 3.x, and 3.1 contain a tool for processing Xen trace
buffer information.
This tool uses the static file /tmp/xenq-shm insecurely allowing
a local user to truncate any local file when xenbaked or xenmon.py
are invoked by root.
Sample session:
# setup.
skx@vain:~$ ln -s /etc/passwd /tmp/xenq-shm
# later.
skx@vain:~$ sudo xenbaked
# all gone. :(
skx@vain:~$ ls -l /etc/passwd
-rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd
This flaw is known as CVE-2007-3919 by the common vulnerabilities
and exposures project.
As the filename needs to be shared between xenmon.py + xenbaked.c
a "random" one cannot easily be generated. The solution that
Debian will use for its security update is to create the file in
a location which is only writable by root - /var/run.
Security advisory will be released very soon.
Steve
--
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages xen-utils-3.0.3-1 depends on:
ii iproute 20061002-3 Professional tools to control the
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
ii udev 0.105-4 /dev/ and hotplug management daemo
ii xen-utils-common 3.0.3-0-2 XEN administrative tools - common
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages xen-utils-3.0.3-1 recommends:
ii bridge-utils 1.2-1 Utilities for configuring the Linu
ii xen-hypervisor-3.0.3-1-amd64 3.0.3-0-3 The Xen Hypervisor on AMD64
-- no debconf information
Bug reassigned from package `xen-utils-3.0.3-1' to `xen-3.0'.
Request was from Bastian Blank <waldi@debian.org>
to control@bugs.debian.org.
(Tue, 23 Oct 2007 21:09:05 GMT) (full text, mbox, link).
Bug marked as found in version 3.0.3-0-1.
Request was from Bastian Blank <waldi@debian.org>
to control@bugs.debian.org.
(Tue, 23 Oct 2007 21:27:04 GMT) (full text, mbox, link).
Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: xen-3
Source-Version: 3.1.2-1
We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:
xen-3_3.1.2-1.diff.gz
to pool/main/x/xen-3/xen-3_3.1.2-1.diff.gz
xen-3_3.1.2-1.dsc
to pool/main/x/xen-3/xen-3_3.1.2-1.dsc
xen-3_3.1.2.orig.tar.gz
to pool/main/x/xen-3/xen-3_3.1.2.orig.tar.gz
xen-docs-3.1_3.1.2-1_all.deb
to pool/main/x/xen-3/xen-docs-3.1_3.1.2-1_all.deb
xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb
to pool/main/x/xen-3/xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb
xen-utils-3.1-1_3.1.2-1_amd64.deb
to pool/main/x/xen-3/xen-utils-3.1-1_3.1.2-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 447795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 24 Nov 2007 13:24:45 +0000
Source: xen-3
Binary: xen-utils-3.1-1 xen-docs-3.1 xen-hypervisor-3.1-1-i386-nonpae xen-hypervisor-3.1-1-amd64 xen-hypervisor-3.1-1-i386
Architecture: source amd64 all
Version: 3.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description:
xen-docs-3.1 - documentation for XEN, a Virtual Machine Monitor
xen-hypervisor-3.1-1-amd64 - The Xen Hypervisor on AMD64
xen-utils-3.1-1 - XEN administrative tools
Closes: 447795451626
Changes:
xen-3 (3.1.2-1) unstable; urgency=high
.
* New upstream release:
- Move shared file into /var/run. (closes: #447795)
See CVE-2007-3919.
- x86: Fix various problems with debug-register handling. (closes: #451626)
See CVE-2007-5906.
Files:
a29263a5eb861b21d4dd7fc6ad27d8e1 1154 misc extra xen-3_3.1.2-1.dsc
02ab987279136d59218638aa248a9e95 7779024 misc extra xen-3_3.1.2.orig.tar.gz
e8f1c2eeb35b98f3d354a56b03dd6f31 26765 misc extra xen-3_3.1.2-1.diff.gz
40bb4f25cfef84ad1a951908cc871005 1099404 misc extra xen-docs-3.1_3.1.2-1_all.deb
a14bbdfaaefbe7b16f24d3a4988a7e99 1126774 misc extra xen-utils-3.1-1_3.1.2-1_amd64.deb
43700dbc2d80afab077bc71324bb2597 361578 misc extra xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iEYEARECAAYFAkdIKQkACgkQLkAIIn9ODhE2dwCdFGwlmLqPox571BEnwg+tCi+p
c2IAoKACT0EqcLV9wV09w9vRSfDaf5/x
=xniw
-----END PGP SIGNATURE-----
Bug marked as fixed in version 3.0.3-0-4.
Request was from zobel@ftbfs.de (Martin Zobel-Helas)
to control@bugs.debian.org.
(Thu, 24 Jan 2008 15:48:14 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 22 Feb 2008 07:39:22 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.