This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] PATCH: CVE-2007-0998: Remove access to QEMU monitor in V

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
From: "S.Çağlar Onur" <caglar@xxxxxxxxxxxxx>
Date: Sat, 19 May 2007 14:48:37 +0300
Cc: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Delivery-date: Sat, 19 May 2007 04:47:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <C2747292.7A95%Keir.Fraser@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization: TÜBİTAK / UEKAE
References: <C2747292.7A95%Keir.Fraser@xxxxxxxxxxxx>
Reply-to: caglar@xxxxxxxxxxxxx
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.7
19 May 2007 Cts tarihinde, Keir Fraser şunları yazmıştı: 
> On 19/5/07 00:39, "S.Çağlar Onur" <caglar@xxxxxxxxxxxxx> wrote:
> > 19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
> >> This patch fixes a security issue present in any Xen 3.0.3 or later when
> >> the VNC server is enabled for a HVM guest.
> >>
> >> cf CVE-2007-0998 / the RHEL-5 security errata:
> >>
> >>    http://rhn.redhat.com/errata/RHSA-2007-0114.html
> >
> > Same patch applies cleanly on Xen-3.1.0, is it forgetton?
> The patch is in 3.1.0.

Hmm, is that solved another way? Cause according to HG history its first 
committed [1] then reverted [2]?

sha1sum /var/cache/pisi/archives/xen-3.1.0-src.tgz

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> tar 
xvf /var/cache/pisi/archives/xen-3.1.0-src.tgz

patch -p1 < ../files/CVE-2007-0998.patch
patching file tools/ioemu/Makefile.target
patching file tools/ioemu/vnc.c

[1] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3375391fb0c9
[2] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3d7a4ac397b1

S.Çağlar Onur <caglar@xxxxxxxxxxxxx>

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!

Attachment: signature.asc
Description: This is a digitally signed message part.

Xen-devel mailing list