| Reported on: | 20130828 |
|---|---|
| Published on: | 20130918 |
| Fixed on: | 20130918 |
| Reported by: | Sebastian Krahmer |
|---|---|
| Patched by: | Daniel Berrange |
| Colin Walters |
There is a race condition in the way libvirt invokes the pkcheck binary, which could result in polkit doing the authorization check against the wrong user ID
A malicious libvirt client can have one thread exec a setuid application in parallel with another thread authenticating to libvirt. This would result in polkit authorizing the libvirt client as if it were running user ID 0. An unprivileged user can thus elevate their privileges.
Disable all use of polkit authentication in the libvirtd server and use of the polkit access control driver.
| Branch | master |
|---|---|
| Broken in: | v0.7.1 |
| Broken in: | v0.7.2 |
| Broken in: | v0.7.3 |
| Broken in: | v0.7.4 |
| Broken in: | v0.7.5 |
| Broken in: | v0.7.6 |
| Broken in: | v0.7.7 |
| Broken in: | v0.8.0 |
| Broken in: | v0.8.1 |
| Broken in: | v0.8.2 |
| Broken in: | v0.8.3 |
| Broken in: | v0.8.4 |
| Broken in: | v0.8.5 |
| Broken in: | v0.8.6 |
| Broken in: | v0.8.7 |
| Broken in: | v0.8.8 |
| Broken in: | v0.9.0 |
| Broken in: | v0.9.1 |
| Broken in: | v0.9.2 |
| Broken in: | v0.9.3 |
| Broken in: | v0.9.4 |
| Broken in: | v0.9.5 |
| Broken in: | v0.9.6 |
| Broken in: | v0.9.7 |
| Broken in: | v0.9.8 |
| Broken in: | v0.9.9 |
| Broken in: | v0.9.10 |
| Broken in: | v0.9.11 |
| Broken in: | v0.9.12 |
| Broken in: | v0.9.13 |
| Broken in: | v0.10.0 |
| Broken in: | v0.10.1 |
| Broken in: | v0.10.2 |
| Broken in: | v1.0.0 |
| Broken in: | v1.0.1 |
| Broken in: | v1.0.2 |
| Broken in: | v1.0.3 |
| Broken in: | v1.0.4 |
| Broken in: | v1.0.5 |
| Broken in: | v1.0.6 |
| Broken in: | v1.1.0 |
| Broken in: | v1.1.1 |
| Broken in: | v1.1.2 |
| Fixed in: | v1.1.3 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 922b7fda77b094dbf022d625238262ea05335666 |
| Fixed by: | e4697b92abaad16e8e6b41a1e55be9b084d48d5a |
| Branch | v0.8.3-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Branch | v0.9.6-maint |
|---|---|
| Broken in: | v0.9.6.1 |
| Broken in: | v0.9.6.2 |
| Broken in: | v0.9.6.3 |
| Broken in: | v0.9.6.4 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Branch | v0.9.11-maint |
|---|---|
| Broken in: | v0.9.11.1 |
| Broken in: | v0.9.11.2 |
| Broken in: | v0.9.11.3 |
| Broken in: | v0.9.11.4 |
| Broken in: | v0.9.11.5 |
| Broken in: | v0.9.11.6 |
| Broken in: | v0.9.11.7 |
| Broken in: | v0.9.11.8 |
| Broken in: | v0.9.11.9 |
| Broken in: | v0.9.11.10 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Branch | v0.9.12-maint |
|---|---|
| Broken in: | v0.9.12.1 |
| Broken in: | v0.9.12.2 |
| Broken in: | v0.9.12.3 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 078627104d338b8de18156a7162d9b19378c5e88 |
| Branch | v0.10.2-maint |
|---|---|
| Broken in: | v0.10.2.1 |
| Broken in: | v0.10.2.2 |
| Broken in: | v0.10.2.3 |
| Broken in: | v0.10.2.4 |
| Broken in: | v0.10.2.5 |
| Broken in: | v0.10.2.6 |
| Broken in: | v0.10.2.7 |
| Broken in: | v0.10.2.8 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 77d448e15d73773d5ffe00b62dbdbc0380c4faae |
| Branch | v1.0.0-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Branch | v1.0.1-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Branch | v1.0.2-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 30cf3b74903da808bd1c8e5d79a7a4cb46e726c0 |
| Branch | v1.0.3-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 69a4bc670bdbb2bb64a92214f0e726fda77aecc4 |
| Branch | v1.0.4-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | a01514b25dc9c841dfd03a08bc831957165a43ca |
| Branch | v1.0.5-maint |
|---|---|
| Broken in: | v1.0.5.1 |
| Broken in: | v1.0.5.2 |
| Broken in: | v1.0.5.3 |
| Broken in: | v1.0.5.4 |
| Broken in: | v1.0.5.5 |
| Broken in: | v1.0.5.6 |
| Broken in: | v1.0.5.7 |
| Broken in: | v1.0.5.8 |
| Broken in: | v1.0.5.9 |
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 85ca41529db49a5e0ff633eaa891136218c03645 |
| Branch | v1.0.6-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | a338c40b8a800b0edc372d433ec5d4411e8af8ea |
| Branch | v1.1.0-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | d014e3eb084a0b3388bd351b9ce2d90e54234b4e |
| Fixed by: | 15033105c262ce115a05c8cba4951752b556fbe8 |
| Branch | v1.1.1-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 003b655e009597c514082ec832e96bfd78fdbece |
| Fixed by: | 7659e912c5e6d152210e7084d57770ea10335a3a |
| Branch | v1.1.2-maint |
|---|---|
| Broken by: | 8e06c8b3da889899072d4ff051f3325fc4e4f58d |
| Fixed by: | 8616dc8b4f3bf0537cb316eb1465d213012d131f |
| Fixed by: | 2a32bbbfb118d68071bb0a107b20a5ffdfdc6808 |