Libvirt Security Notice: LSN-2009-0001

Incorrect buffer checks in setuid proxy


Reported on: 20090127
Published on: 20090127
Fixed on: 20090128


Reported by: Rasputin
Patched by: Rasputin

See also


The setuid libvirt_proxy helper program allows unprivileged users read-only access to query the Xen hypervisor for information. On short reads of data packets from the client, incorrect buffer validation was being performed. This cloud lead to a buffer overflow in the setuid proxy


An unprivileged user can feed malicious packets to the setuid proxy causing a buffer overflow. This can potentially be used to cause the program to execute arbitrary code as root. The GCC stack protector did not protect against the flaw since the function was being inlined to the main() method by the compiler optimizer


Remove the setuid permission bit from the /usr/libexec/libvirt_proxy helper binary. This will prevent unprivileged users from being able to use it to elevate their privileges.

Affected product: libvirt

Branch master
Broken in: v0.1.3
Broken in: v0.1.4
Broken in: v0.1.6
Broken in: v0.1.7
Broken in: v0.1.8
Broken in: v0.1.9
Broken in: v0.1.10
Broken in: v0.1.11
Broken in: v0.2.0
Broken in: v0.2.1
Broken in: v0.2.2
Broken in: v0.2.3
Broken in: v0.3.0
Broken in: v0.3.1
Broken in: v0.3.2
Broken in: v0.3.3
Broken in: v0.4.1
Broken in: v0.4.2
Broken in: v0.4.4
Broken in: v0.4.6
Broken in: v0.5.0
Broken in: v0.5.1
Fixed in: v0.6.0
Broken by: 27b7a8be52cb0fd4fd4489607ccba13b8fe03003
Fixed by: be33b189a5e579509b5025d72b7f283401ef9dc1

Alternative formats: [xml] [text]