Libvirt Security Notice: LSN-2013-0012

Insecure invocation of polkit for checking authorization

Lifecycle

Reported on: 20130828
Published on: 20130918
Fixed on: 20130918

Credits

Reported by: Sebastian Krahmer
Patched by: Daniel Berrange
Colin Walters

See also

Description

There is a race condition in the way libvirt invokes the pkcheck binary, which could result in polkit doing the authorization check against the wrong user ID

Impact

A malicious libvirt client can have one thread exec a setuid application in parallel with another thread authenticating to libvirt. This would result in polkit authorizing the libvirt client as if it were running user ID 0. An unprivileged user can thus elevate their privileges.

Workaround

Disable all use of polkit authentication in the libvirtd server and use of the polkit access control driver.

Affected product: libvirt

Branch master
Broken in: v0.7.0
Broken in: v0.7.1
Broken in: v0.7.2
Broken in: v0.7.3
Broken in: v0.7.4
Broken in: v0.7.5
Broken in: v0.7.6
Broken in: v0.7.7
Broken in: v0.8.0
Broken in: v0.8.1
Broken in: v0.8.2
Broken in: v0.8.3
Broken in: v0.8.4
Broken in: v0.8.5
Broken in: v0.8.6
Broken in: v0.8.7
Broken in: v0.8.8
Broken in: v0.9.0
Broken in: v0.9.1
Broken in: v0.9.2
Broken in: v0.9.3
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Fixed in: v1.1.3
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 922b7fda77b094dbf022d625238262ea05335666
Branch v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Broken in: v0.9.6.3
Broken in: v0.9.6.4
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Broken in: v0.9.11.9
Broken in: v0.9.11.10
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Branch v0.9.12-maint
Fixed in: v0.9.12.1
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 078627104d338b8de18156a7162d9b19378c5e88
Branch v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Fixed in: v0.10.2.8
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 77d448e15d73773d5ffe00b62dbdbc0380c4faae
Branch v1.0.2-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 30cf3b74903da808bd1c8e5d79a7a4cb46e726c0
Branch v1.0.3-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 69a4bc670bdbb2bb64a92214f0e726fda77aecc4
Branch v1.0.4-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: a01514b25dc9c841dfd03a08bc831957165a43ca
Branch v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Fixed in: v1.0.5.6
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 85ca41529db49a5e0ff633eaa891136218c03645
Branch v1.0.6-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: a338c40b8a800b0edc372d433ec5d4411e8af8ea
Branch v1.1.0-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 15033105c262ce115a05c8cba4951752b556fbe8
Branch v1.1.1-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 7659e912c5e6d152210e7084d57770ea10335a3a
Branch v1.1.2-maint
Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d
Fixed by: 2a32bbbfb118d68071bb0a107b20a5ffdfdc6808

Alternative formats: [xml] [text]