Debian Bug report logs - #447795
xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss

version graph

Package: xen-3.0; Maintainer for xen-3.0 is (unknown);

Reported by: Steve Kemp <skx@debian.org>

Date: Tue, 23 Oct 2007 19:36:01 UTC

Severity: grave

Tags: security

Found in versions 3.0.3-0-3, 3.0.3-0-1

Fixed in versions xen-3/3.1.2-1, 3.0.3-0-4

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#447795; Package xen-utils-3.0.3-1. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss
Date: Tue, 23 Oct 2007 20:34:24 +0100
Package: xen-utils-3.0.3-1
Version: 3.0.3-0-3
Severity: grave
Tags: security
Justification: user security hole


  Xen versions 3.x, and 3.1 contain a tool for processing Xen trace
 buffer information.

  This tool uses the static file /tmp/xenq-shm insecurely allowing
 a local user to truncate any local file when xenbaked or xenmon.py
 are invoked by root.

  Sample session:

    # setup.
    skx@vain:~$ ln -s /etc/passwd /tmp/xenq-shm

    # later.
    skx@vain:~$ sudo xenbaked

    # all gone.  :(
    skx@vain:~$ ls -l /etc/passwd
    -rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd

  This flaw is known as CVE-2007-3919 by the common vulnerabilities
 and exposures project.

  As the filename needs to be shared between xenmon.py + xenbaked.c
 a "random" one cannot easily be generated.  The solution that 
 Debian will use for its security update is to create the file in
 a location which is only writable by root - /var/run.

  Security advisory will be released very soon.

Steve
-- 
-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xen-utils-3.0.3-1 depends on:
ii  iproute                20061002-3        Professional tools to control the 
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  python                 2.4.4-2           An interactive high-level object-o
ii  python-central         0.5.12            register and build utility for Pyt
ii  udev                   0.105-4           /dev/ and hotplug management daemo
ii  xen-utils-common       3.0.3-0-2         XEN administrative tools - common 
ii  zlib1g                 1:1.2.3-13        compression library - runtime

Versions of packages xen-utils-3.0.3-1 recommends:
ii  bridge-utils                  1.2-1      Utilities for configuring the Linu
ii  xen-hypervisor-3.0.3-1-amd64  3.0.3-0-3  The Xen Hypervisor on AMD64

-- no debconf information




Bug reassigned from package `xen-utils-3.0.3-1' to `xen-3.0'. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Tue, 23 Oct 2007 21:09:05 GMT) Full text and rfc822 format available.

Bug marked as found in version 3.0.3-0-1. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Tue, 23 Oct 2007 21:27:04 GMT) Full text and rfc822 format available.

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 447795-close@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 447795-close@bugs.debian.org
Subject: Bug#447795: fixed in xen-3 3.1.2-1
Date: Sat, 24 Nov 2007 14:02:04 +0000
Source: xen-3
Source-Version: 3.1.2-1

We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:

xen-3_3.1.2-1.diff.gz
  to pool/main/x/xen-3/xen-3_3.1.2-1.diff.gz
xen-3_3.1.2-1.dsc
  to pool/main/x/xen-3/xen-3_3.1.2-1.dsc
xen-3_3.1.2.orig.tar.gz
  to pool/main/x/xen-3/xen-3_3.1.2.orig.tar.gz
xen-docs-3.1_3.1.2-1_all.deb
  to pool/main/x/xen-3/xen-docs-3.1_3.1.2-1_all.deb
xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb
  to pool/main/x/xen-3/xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb
xen-utils-3.1-1_3.1.2-1_amd64.deb
  to pool/main/x/xen-3/xen-utils-3.1-1_3.1.2-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 447795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 24 Nov 2007 13:24:45 +0000
Source: xen-3
Binary: xen-utils-3.1-1 xen-docs-3.1 xen-hypervisor-3.1-1-i386-nonpae xen-hypervisor-3.1-1-amd64 xen-hypervisor-3.1-1-i386
Architecture: source amd64 all
Version: 3.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description: 
 xen-docs-3.1 - documentation for XEN, a Virtual Machine Monitor
 xen-hypervisor-3.1-1-amd64 - The Xen Hypervisor on AMD64
 xen-utils-3.1-1 - XEN administrative tools
Closes: 447795 451626
Changes: 
 xen-3 (3.1.2-1) unstable; urgency=high
 .
   * New upstream release:
     - Move shared file into /var/run. (closes: #447795)
       See CVE-2007-3919.
     - x86: Fix various problems with debug-register handling. (closes: #451626)
       See CVE-2007-5906.
Files: 
 a29263a5eb861b21d4dd7fc6ad27d8e1 1154 misc extra xen-3_3.1.2-1.dsc
 02ab987279136d59218638aa248a9e95 7779024 misc extra xen-3_3.1.2.orig.tar.gz
 e8f1c2eeb35b98f3d354a56b03dd6f31 26765 misc extra xen-3_3.1.2-1.diff.gz
 40bb4f25cfef84ad1a951908cc871005 1099404 misc extra xen-docs-3.1_3.1.2-1_all.deb
 a14bbdfaaefbe7b16f24d3a4988a7e99 1126774 misc extra xen-utils-3.1-1_3.1.2-1_amd64.deb
 43700dbc2d80afab077bc71324bb2597 361578 misc extra xen-hypervisor-3.1-1-amd64_3.1.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkdIKQkACgkQLkAIIn9ODhE2dwCdFGwlmLqPox571BEnwg+tCi+p
c2IAoKACT0EqcLV9wV09w9vRSfDaf5/x
=xniw
-----END PGP SIGNATURE-----





Bug marked as fixed in version 3.0.3-0-4. Request was from zobel@ftbfs.de (Martin Zobel-Helas) to control@bugs.debian.org. (Thu, 24 Jan 2008 15:48:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 22 Feb 2008 07:39:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 21:31:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.