Libvirt Security Notice: LSN-2009-0001

Incorrect buffer checks in setuid proxy

Lifecycle

Reported on: 20090127
Published on: 20090127
Fixed on: 20090128

Credits

Reported by: Rasputin
Patched by: Rasputin

See also

Description

The setuid libvirt_proxy helper program allows unprivileged users read-only access to query the Xen hypervisor for information. On short reads of data packets from the client, incorrect buffer validation was being performed. This cloud lead to a buffer overflow in the setuid proxy

Impact

An unprivileged user can feed malicious packets to the setuid proxy causing a buffer overflow. This can potentially be used to cause the program to execute arbitrary code as root. The GCC stack protector did not protect against the flaw since the function was being inlined to the main() method by the compiler optimizer

Workaround

Remove the setuid permission bit from the /usr/libexec/libvirt_proxy helper binary. This will prevent unprivileged users from being able to use it to elevate their privileges.

Affected product: libvirt

Branch master
Broken in: v0.1.3
Broken in: v0.1.4
Broken in: v0.1.6
Broken in: v0.1.7
Broken in: v0.1.8
Broken in: v0.1.9
Broken in: v0.1.10
Broken in: v0.1.11
Broken in: v0.2.0
Broken in: v0.2.1
Broken in: v0.2.2
Broken in: v0.2.3
Broken in: v0.3.0
Broken in: v0.3.1
Broken in: v0.3.2
Broken in: v0.3.3
Broken in: v0.4.1
Broken in: v0.4.2
Broken in: v0.4.4
Broken in: v0.4.6
Broken in: v0.5.0
Broken in: v0.5.1
Fixed in: v0.6.0
Broken by: 27b7a8be52cb0fd4fd4489607ccba13b8fe03003
Fixed by: be33b189a5e579509b5025d72b7f283401ef9dc1

Alternative formats: [xml] [text]