Libvirt Security Notice: LSN-2009-0001 ====================================== Summary: Incorrect buffer checks in setuid proxy Reported on: 20090127 Published on: 20090127 Fixed on: 20090128 Reported by: Rasputin Patched by: Rasputin See also: CVE-2009-0036 Description ----------- The setuid libvirt_proxy helper program allows unprivileged users read-only access to query the Xen hypervisor for information. On short reads of data packets from the client, incorrect buffer validation was being performed. This cloud lead to a buffer overflow in the setuid proxy Impact ------ An unprivileged user can feed malicious packets to the setuid proxy causing a buffer overflow. This can potentially be used to cause the program to execute arbitrary code as root. The GCC stack protector did not protect against the flaw since the function was being inlined to the main() method by the compiler optimizer Workaround ---------- Remove the setuid permission bit from the /usr/libexec/libvirt_proxy helper binary. This will prevent unprivileged users from being able to use it to elevate their privileges. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.1.3 Broken in: v0.1.4 Broken in: v0.1.6 Broken in: v0.1.7 Broken in: v0.1.8 Broken in: v0.1.9 Broken in: v0.1.10 Broken in: v0.1.11 Broken in: v0.2.0 Broken in: v0.2.1 Broken in: v0.2.2 Broken in: v0.2.3 Broken in: v0.3.0 Broken in: v0.3.1 Broken in: v0.3.2 Broken in: v0.3.3 Broken in: v0.4.1 Broken in: v0.4.2 Broken in: v0.4.4 Broken in: v0.4.6 Broken in: v0.5.0 Broken in: v0.5.1 Fixed in: v0.6.0 Broken by: 27b7a8be52cb0fd4fd4489607ccba13b8fe03003 Fixed by: be33b189a5e579509b5025d72b7f283401ef9dc1