Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 25 Jun 2013 14:03:58 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Xen.org security team" <security@....org>, xen-announce@...ts.xen.org,
        xen-devel@...ts.xen.org, xen-users@...ts.xen.org
Subject: Re: Xen Security Advisory 57 - libxl allows guest
 write access to sensitive console related xenstore keys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2013 04:07 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-57 version 3
> 
> libxl allows guest write access to sensitive console related
> xenstore keys
> 
> UPDATES IN VERSION 3 ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION =================
> 
> The libxenlight (libxl) toolstack library does not correctly set 
> permissions on xenstore keys relating to paravirtualised and
> emulated serial console devices. This could allow a malicious
> guest administrator to change values in xenstore which the host
> later relies on being implicitly trusted.
> 
> This vulnerability has not yet been assigned a CVE Candidate number
> by MITRE.  We will issue an updated version of XSA-57 when this is 
> available.

Please use CVE-2013-2211 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRyfeuAAoJEBYNRVNeJnmThT8P/2Ehm4GlkwopiQeHAZ+sDICM
sG62vRRVrTl3NOvmIq1hhCum1CxSkriGsid+v2TDu9RXsyZ8bZHkbwUBdqcxJi0A
LxFnmvd/EfWMtdxzbdw5YclFQ3o8ajxpJ9K10NLcVy46Mfcr9ZUA86PdwTcAYUk5
PC9X/EGFXENq+v+PRs6SwuJQyUey39dz1C9w4/R/G7JqNwZMHbuwGJWjC32ExvE9
c4n9NpZCPeHt+xVj/9LPjCMZhVDttq+GRk3o00CBf3ruUYY5cWGbm0X2kZLiqb5/
E+XLdZULQtwdIW/GfAwyjIhO0516dvMYK/rBtZyOvwOTrXvJC95nMSg4BHXq+ae3
7NMAPMH9OF8ppBi3+8MyOh5bdQGu+Dq6v/OzobIcuJa7xXaq+S6B3xZuzQvXInwS
WYoaxYtRQoeL2lugxb08D70E4rMKJobCMqao+k9dEiLgyy7Y/OVfwq0Tmj2VJWur
Pzil1NBgcPGWA89AdMcVdTJa8RjEc6wbEaFIIRy0EqAGK4o4zjkghwl+19OQNO9A
g5hTtjCkJ+OiLHm1lmDnuIK3KJ6HIlDSfIp9qcpu9iu2fQVrVCYAoXRJ9w35gJCQ
xvxs/ytE9EyGysQXY7TFsgOnY9SWBUThQgCMUqO2Ylhc/9EaCVemy2J6YJI8yuuS
bCJ5Rs25sKay74ovVPeD
=jbfT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ