CVE-2016-9379

Published: 23 January 2017

The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file.

Priority

Low

CVSS 3 base score: 7.9

Status

Package Release Status
xen
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.6.0-1ubuntu4.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [4.4.2-0ubuntu0.14.04.9])
Binaries built from this source package are in Universe and so are supported by the community.

Notes

AuthorNote
mdeslaur
This is XSA-198
tyhicks
issue present in xen-utils-4.x binary packages which are in
universe

References