Bug#548909: marked as done (xen-tools: xen-create-image creates world readable disk image files)

Mon, 31 May 2010 00:43:02 -0700 

Your message dated Mon, 31 May 2010 07:33:04 +0000
with message-id <e1oizue-00011i...@ries.debian.org>
and subject line Bug#548909: fixed in xen-tools 4.2~beta1-1
has caused the Debian Bug report #548909,
regarding xen-tools: xen-create-image creates world readable disk image files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
548909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: xen-tools
Version: 3.9-4
Severity: grave
Tags: security
Justification: user security hole

I'm tagging this security, though common best practices would suggest that 
access
to the Dom0 should be severely restricted to begin with.

When xen-create-image is used to create a file based DomU, the disk image files
will have world readable permissions on a typical system with default umask
settings.  This means that all accounts on the Dom0 will have full access to 
the data
on the DomU.  The fix is to simply to alter createLoopbackImages() to chmod 
0600 the
image files after they are created with DD and before the filesystem is 
initialized
or to simply to adjust the umask before running dd.

This problem exists in both the stable 3.9 version of xen-tools and the 
unstable 4.1
version.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xen-tools depends on:
ii  debootstrap              1.0.10lenny1    Bootstrap a basic Debian system
ii  libconfig-inifiles-perl  2.39-5          Read .ini-style configuration file
ii  libtext-template-perl    1.44-1.2        Text::Template perl module
ii  perl-modules             5.10.0-19lenny2 Core Perl modules

Versions of packages xen-tools recommends:
ii  libexpect-perl             1.20-1        Expect.pm - Perl Expect interface
ii  reiserfsprogs              1:3.6.19-6    User-level tools for ReiserFS file
ii  rinse                      1.3-2         RPM installation environment
ii  xen-hypervisor-3.2-1-amd64 3.2.1-2.jd1   The Xen Hypervisor on AMD64
ii  xen-shell                  1.8-3         Console based Xen administration u
ii  xfsprogs                   2.9.8-1lenny1 Utilities for managing the XFS fil

xen-tools suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: xen-tools
Source-Version: 4.2~beta1-1

We believe that the bug you reported is fixed in the latest version of
xen-tools, which is due to be installed in the Debian FTP archive:

xen-tools_4.2~beta1-1.diff.gz
  to main/x/xen-tools/xen-tools_4.2~beta1-1.diff.gz
xen-tools_4.2~beta1-1.dsc
  to main/x/xen-tools/xen-tools_4.2~beta1-1.dsc
xen-tools_4.2~beta1-1_all.deb
  to main/x/xen-tools/xen-tools_4.2~beta1-1_all.deb
xen-tools_4.2~beta1.orig.tar.gz
  to main/x/xen-tools/xen-tools_4.2~beta1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <a...@debian.org> (supplier of updated xen-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 30 May 2010 22:32:30 +0200
Source: xen-tools
Binary: xen-tools
Architecture: source all
Version: 4.2~beta1-1
Distribution: unstable
Urgency: low
Maintainer: Axel Beckert <a...@debian.org>
Changed-By: Axel Beckert <a...@debian.org>
Description: 
 xen-tools  - Tools to manage Xen virtual servers
Closes: 492583 499476 499477 502798 503339 511211 515228 520177 530226 534290 
547265 548909 550590 561618 566683 566714
Changes: 
 xen-tools (4.2~beta1-1) unstable; urgency=low
 .
   * New maintainer and upstream authors
   * Reintroduction into Debian Unstable (Closes: #566714)
   * New upstream beta version
     - Needs dependency on libfile-slurp-perl
     - Supports for more recent versions of Fedora, Ubuntu and Debian
       (Closes: #499477)
     - Supports pygrub. (Added "Suggests: xen-utils" to debian/control)
     - Uses hvc0 and xvda devices by default
     - Sets umask to 0077 before creating disk images (Closes: #548909)
     - Makes sure, MAKEDEV is found in either /dev/ or /sbin/
       (Closes: #502798, #515228)
     - Changed rinse path to /usr/sbin/. (Closes: #511211)
     - Doesn't delete configuration file if it already exists when
       xen-create-image is run. (Closes: #520177)
     - Doesn't write the FQDN into /etc/hostname (Closes: #492583)
     - Dereferences pointers before hashing them to generate a MAC
       address. (Closes: #547265)
     - Calls pwconv and grpconv inside chroot when installing Fedora
       (Closes: #499476)
     - Fixed typo in /usr/lib/xen-tools/*.d/75-fixup-securetty
       (Closes: #503339)
     - Makes better decisions about when to enable Debian security updates
       in the created DomU (LP: #309750)
     - Installs dhclient for CentOS and Fedora if DHCP networking is
       requested (LP: #241446)
     - Fixes some bashisms (Closes: #530226)
       * [^y] → [!y] (Thanks to Mathieu Parent!)
       * kill -HUP → kill -s HUP (found by checkbashism)
       * ${parm/?/pat[/str]} → echo | sed
       * echo -e → printf
       * read → read dummy
     - xt-install-image now exits with return value 127 instead of 0 to
       indicate errors on running the command given in --install-method.
       (Closes: #534290)
     - The debootstrap command now also can be configured on the
       commandline with --debootstrap-cmd in xen-create-image and
       xt-install-image (Enhances fix for #436480 which added the
       debootstrap-cmd config file option)
     - Checks for debootstrap and cdebootstrap, uses debootstrap if both
       are installed (Changed "Depends: debootstrap" to "Depends:
       debootstrap | cdebootstrap" in debian/control)
     - Added new files TODO and KNOWN_BUGS to debian/docs.
   * Removal of /etc/bash_completion.d/xm from the package since
     bash-completion ships a more elaborate version of that file. (Closes:
     #566683, #550590, LP: #538917, #484098)
   * Downgrade reiserfsprogs and xfsprogs to Suggests. (Closes: #561618,
     LP: #80233)
   * Added evms-cli to Suggests. It has been removed from Debian before
     Lenny, but it is necessary for some optional functionality of
     xen-tools. And since some Debian derived distributions (e.g. Ubuntu
     LTS and grml) still support it, it's included for the sake of
     completeness and correctness.
   * Added cfengine2 to Suggests. It is helpful to have it installed when
     using the cfengine2 role.
   * Bump Standards-Version to 3.8.4 (no changes necessary)
   * Bump Debhelper Compatibility to 7
     - Replace "dh_clean -k" by "dh_prep"
   * Add Vcs-* headers pointing to new upstream and packaging repository
   * Fix some Lintian warnings:
     - [debian/control]: debhelper-but-no-misc-depends
     - [debian/copyright]: copyright-without-copyright-notice
     - [debian/source/format]: missing-debian-source-format
   * Added a README.source explaining how to build xen-tools directly from
     the Git repository.
   * Overhauled package description
Checksums-Sha1: 
 552e6272af78e27fd881f94a90c60c3c3140e15d 1187 xen-tools_4.2~beta1-1.dsc
 483b721bb748184ed1e91daa2b49619a46da5bac 209470 xen-tools_4.2~beta1.orig.tar.gz
 0df6afb46c1a32ca9099c7c95866597779332da8 12683 xen-tools_4.2~beta1-1.diff.gz
 317ffac6dc663f11d4cc7ef0888e425cf5235a24 237114 xen-tools_4.2~beta1-1_all.deb
Checksums-Sha256: 
 f7d71f401656c5566f18ef5f5b856ee1ba511f62058846fe1f0845935b06ef13 1187 
xen-tools_4.2~beta1-1.dsc
 3e3bb6fea9fbaf32fa1561e34ed2242a68d2ee610e6aa3a8a2739c58eeafcfb3 209470 
xen-tools_4.2~beta1.orig.tar.gz
 71bfdd815beb2724719ad7e0cfdb341e8bd0d45ee5d08e07a12913deee3552b9 12683 
xen-tools_4.2~beta1-1.diff.gz
 aa25d9a36940fbab6d0541e112c48db83ff62556d53d69f39038e01ae23c7a09 237114 
xen-tools_4.2~beta1-1_all.deb
Files: 
 f689c6674545c4f4aeae6d63bb8543d6 1187 utils extra xen-tools_4.2~beta1-1.dsc
 8d9bfb0a0f41c2b0dec51d16b1df3695 209470 utils extra 
xen-tools_4.2~beta1.orig.tar.gz
 c65ffc225c120b330beb2a36a08beb0f 12683 utils extra 
xen-tools_4.2~beta1-1.diff.gz
 3a1a28fde1eea395b03ce0bcf5ffce3d 237114 utils extra 
xen-tools_4.2~beta1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwCzdgACgkQwJ4diZWTDt6gvACeJ2NHdp0+0vIvPodB7DY/oa0K
OD0An3p8HXyZ0zDbrU3BupFzwDkJDpa5
=/5MY
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to