Libvirt Security Notice: LSN-2010-0002 ====================================== Summary: Ignoring backing store format when recursing into disk image backing stores Reported on: 20100615 Published on: 20100712 Fixed on: 20100719 Reported by: Daniel Berrange Patched by: Daniel Berrange See also: CVE-2010-2238 Description ----------- Prior to starting a guest, or when hotplugging or unplugging a device the libvirt SELinux, DAC and CGroups security drivers need to determine full file chain associated with a disk image. This is done by traversing backing file formats referenced in the disk headers. The code did not, however, honour the backing format encoded in disk image metadata, when recursing into disk image backing files so a raw file could be mis-identifed as another type of file. Impact ------ The SELinux, DAC and CGroups code was not honouring backing formats so could be tricked into giving the VM access to files that were otherwise not permitted by its configuration. This can be done by taking what was expected to be a raw backing file and writing a qcow2 header into it. Workaround ---------- Do not use any disks with raw backing files. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.7.2 Broken in: v0.7.3 Broken in: v0.7.4 Broken in: v0.7.5 Broken in: v0.7.6 Broken in: v0.7.7 Broken in: v0.8.0 Broken in: v0.8.1 Broken in: v0.8.2 Fixed in: v0.8.3 Broken by: fe627697a3830cd2db0efcc201d8caa9e171263d Broken by: 15f5eaa09895d68b849a0b0ec458acdafe75d080 Broken by: 117d04fb1d388df700cc37c4d2a68189fab280c0 Fixed by: 68719c4bddb85fbcc931a5b7d99ac7c8a0af09b0