| Reported on: | 20090127 |
|---|---|
| Published on: | 20090127 |
| Fixed on: | 20090128 |
| Reported by: | Rasputin |
|---|---|
| Patched by: | Rasputin |
The setuid libvirt_proxy helper program allows unprivileged users read-only access to query the Xen hypervisor for information. On short reads of data packets from the client, incorrect buffer validation was being performed. This cloud lead to a buffer overflow in the setuid proxy
An unprivileged user can feed malicious packets to the setuid proxy causing a buffer overflow. This can potentially be used to cause the program to execute arbitrary code as root. The GCC stack protector did not protect against the flaw since the function was being inlined to the main() method by the compiler optimizer
Remove the setuid permission bit from the /usr/libexec/libvirt_proxy helper binary. This will prevent unprivileged users from being able to use it to elevate their privileges.
| Branch | master |
|---|---|
| Broken in: | v0.1.3 |
| Broken in: | v0.1.4 |
| Broken in: | v0.1.6 |
| Broken in: | v0.1.7 |
| Broken in: | v0.1.8 |
| Broken in: | v0.1.9 |
| Broken in: | v0.1.10 |
| Broken in: | v0.1.11 |
| Broken in: | v0.2.0 |
| Broken in: | v0.2.1 |
| Broken in: | v0.2.2 |
| Broken in: | v0.2.3 |
| Broken in: | v0.3.0 |
| Broken in: | v0.3.1 |
| Broken in: | v0.3.2 |
| Broken in: | v0.3.3 |
| Broken in: | v0.4.1 |
| Broken in: | v0.4.2 |
| Broken in: | v0.4.4 |
| Broken in: | v0.4.6 |
| Broken in: | v0.5.0 |
| Broken in: | v0.5.1 |
| Fixed in: | v0.6.0 |
| Broken by: | 27b7a8be52cb0fd4fd4489607ccba13b8fe03003 |
| Fixed by: | be33b189a5e579509b5025d72b7f283401ef9dc1 |