Libvirt Security Notice: LSN-2013-0015

Incorrect permissions on XML conversion APIs

Lifecycle

Reported on: 20131002
Published on: 20131021
Fixed on: 20131021

Credits

Reported by: Daniel P. Berrange
Patched by: Daniel P. Berrange

See also

Description

The virConnectDomainXMLToNative API was mistakenly given the 'read' permission instead of the 'write' permission. The latter is required since the conversion process will trigger execution of user provided binaries whose path is listed in the XML.

Impact

An unprivileged user with the 'connect:read' permission could cause the libvirtd daemon to execute arbitrary binaries as root

Workaround

Remove the 'connect:read' permission from untrusted users

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Fixed in: 1.1.4
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
Branch v1.1.0-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: a0e5e40501a6ab608f85af878f6af9d52e5db0c7
Branch v1.1.1-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: a02673d503326ff713460f5f407151f32a2aea8c
Branch v1.1.2-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 90171893ce0d78dd5b93137c6a395b06756f9a08
Branch v1.1.3-maint
Fixed in: v1.1.3.1
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 1adbe4faa952d8aaba58faa7d9b8bd7164aafbe6

Alternative formats: [xml] [text]