'Re: [oss-security] Xen Security Advisory 57 - libxl allows guest write access to sensitive console r'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Xen Security Advisory 57 - libxl allows guest write access to sensitive console r
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-06-25 20:03:58
Message-ID: 51C9F7AE.3070004 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2013 04:07 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-57 version 3
> 
> libxl allows guest write access to sensitive console related
> xenstore keys
> 
> UPDATES IN VERSION 3 ====================
> 
> Public release.
> 
> ISSUE DESCRIPTION =================
> 
> The libxenlight (libxl) toolstack library does not correctly set 
> permissions on xenstore keys relating to paravirtualised and
> emulated serial console devices. This could allow a malicious
> guest administrator to change values in xenstore which the host
> later relies on being implicitly trusted.
> 
> This vulnerability has not yet been assigned a CVE Candidate number
> by MITRE.  We will issue an updated version of XSA-57 when this is 
> available.

Please use CVE-2013-2211 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRyfeuAAoJEBYNRVNeJnmThT8P/2Ehm4GlkwopiQeHAZ+sDICM
sG62vRRVrTl3NOvmIq1hhCum1CxSkriGsid+v2TDu9RXsyZ8bZHkbwUBdqcxJi0A
LxFnmvd/EfWMtdxzbdw5YclFQ3o8ajxpJ9K10NLcVy46Mfcr9ZUA86PdwTcAYUk5
PC9X/EGFXENq+v+PRs6SwuJQyUey39dz1C9w4/R/G7JqNwZMHbuwGJWjC32ExvE9
c4n9NpZCPeHt+xVj/9LPjCMZhVDttq+GRk3o00CBf3ruUYY5cWGbm0X2kZLiqb5/
E+XLdZULQtwdIW/GfAwyjIhO0516dvMYK/rBtZyOvwOTrXvJC95nMSg4BHXq+ae3
7NMAPMH9OF8ppBi3+8MyOh5bdQGu+Dq6v/OzobIcuJa7xXaq+S6B3xZuzQvXInwS
WYoaxYtRQoeL2lugxb08D70E4rMKJobCMqao+k9dEiLgyy7Y/OVfwq0Tmj2VJWur
Pzil1NBgcPGWA89AdMcVdTJa8RjEc6wbEaFIIRy0EqAGK4o4zjkghwl+19OQNO9A
g5hTtjCkJ+OiLHm1lmDnuIK3KJ6HIlDSfIp9qcpu9iu2fQVrVCYAoXRJ9w35gJCQ
xvxs/ytE9EyGysQXY7TFsgOnY9SWBUThQgCMUqO2Ylhc/9EaCVemy2J6YJI8yuuS
bCJ5Rs25sKay74ovVPeD
=jbfT
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic