47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
# HG changeset patch
|
|
# User Keir Fraser <keir@xensource.com>
|
|
# Date 1193128003 -3600
|
|
# Node ID b28ae5f00553ea053bd4e4576634d8ea49e77bc3
|
|
# Parent 118a21c66fd53a08d7191159e5b2888f8d9e4ad2
|
|
xenmon: Fix security vulnerability CVE-2007-3919.
|
|
|
|
The xenbaked daemon and xenmon utility communicate via a mmap'ed
|
|
shared file. Since this file is located in /tmp, unprivileged users
|
|
can cause arbitrary files to be truncated by creating a symlink from
|
|
the well-known /tmp filename to e.g., /etc/passwd.
|
|
|
|
The fix is to place the shared file in a directory to which only root
|
|
should have access (in this case /var/run/).
|
|
|
|
This bug was reported, and the fix suggested, by Steve Kemp
|
|
<skx@debian.org>. Thanks!
|
|
|
|
Signed-off-by: Keir Fraser <keir@xensource.com>
|
|
|
|
Index: xen-3.1-testing/tools/xenmon/xenbaked.c
|
|
===================================================================
|
|
--- xen-3.1-testing.orig/tools/xenmon/xenbaked.c
|
|
+++ xen-3.1-testing/tools/xenmon/xenbaked.c
|
|
@@ -593,7 +593,7 @@ error_t cmd_parser(int key, char *arg, s
|
|
return 0;
|
|
}
|
|
|
|
-#define SHARED_MEM_FILE "/tmp/xenq-shm"
|
|
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
|
|
void alloc_qos_data(int ncpu)
|
|
{
|
|
int i, n, pgsize, off=0;
|
|
Index: xen-3.1-testing/tools/xenmon/xenmon.py
|
|
===================================================================
|
|
--- xen-3.1-testing.orig/tools/xenmon/xenmon.py
|
|
+++ xen-3.1-testing/tools/xenmon/xenmon.py
|
|
@@ -46,7 +46,7 @@ ST_QDATA = "%dQ" % (6*NDOMAINS + 4)
|
|
QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
|
|
|
|
# location of mmaped file, hard coded right now
|
|
-SHM_FILE = "/tmp/xenq-shm"
|
|
+SHM_FILE = "/var/run/xenq-shm"
|
|
|
|
# format strings
|
|
TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
|