Libvirt Security Notice: LSN-2013-0012 ====================================== Summary: Insecure invocation of polkit for checking authorization Reported on: 20130828 Published on: 20130918 Fixed on: 20130918 Reported by: Sebastian Krahmer Patched by: Daniel Berrange , Colin Walters See also: CVE-2013-4311 Description ----------- There is a race condition in the way libvirt invokes the pkcheck binary, which could result in polkit doing the authorization check against the wrong user ID Impact ------ A malicious libvirt client can have one thread exec a setuid application in parallel with another thread authenticating to libvirt. This would result in polkit authorizing the libvirt client as if it were running user ID 0. An unprivileged user can thus elevate their privileges. Workaround ---------- Disable all use of polkit authentication in the libvirtd server and use of the polkit access control driver. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.7.1 Broken in: v0.7.2 Broken in: v0.7.3 Broken in: v0.7.4 Broken in: v0.7.5 Broken in: v0.7.6 Broken in: v0.7.7 Broken in: v0.8.0 Broken in: v0.8.1 Broken in: v0.8.2 Broken in: v0.8.3 Broken in: v0.8.4 Broken in: v0.8.5 Broken in: v0.8.6 Broken in: v0.8.7 Broken in: v0.8.8 Broken in: v0.9.0 Broken in: v0.9.1 Broken in: v0.9.2 Broken in: v0.9.3 Broken in: v0.9.4 Broken in: v0.9.5 Broken in: v0.9.6 Broken in: v0.9.7 Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v0.10.0 Broken in: v0.10.1 Broken in: v0.10.2 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Fixed in: v1.1.3 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 922b7fda77b094dbf022d625238262ea05335666 Fixed by: e4697b92abaad16e8e6b41a1e55be9b084d48d5a Branch: v0.8.3-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Branch: v0.9.6-maint Broken in: v0.9.6.1 Broken in: v0.9.6.2 Broken in: v0.9.6.3 Broken in: v0.9.6.4 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Broken in: v0.9.12.3 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 078627104d338b8de18156a7162d9b19378c5e88 Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 77d448e15d73773d5ffe00b62dbdbc0380c4faae Branch: v1.0.0-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Branch: v1.0.1-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Branch: v1.0.2-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 30cf3b74903da808bd1c8e5d79a7a4cb46e726c0 Branch: v1.0.3-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 69a4bc670bdbb2bb64a92214f0e726fda77aecc4 Branch: v1.0.4-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: a01514b25dc9c841dfd03a08bc831957165a43ca Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 85ca41529db49a5e0ff633eaa891136218c03645 Branch: v1.0.6-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: a338c40b8a800b0edc372d433ec5d4411e8af8ea Branch: v1.1.0-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: d014e3eb084a0b3388bd351b9ce2d90e54234b4e Fixed by: 15033105c262ce115a05c8cba4951752b556fbe8 Branch: v1.1.1-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 003b655e009597c514082ec832e96bfd78fdbece Fixed by: 7659e912c5e6d152210e7084d57770ea10335a3a Branch: v1.1.2-maint Broken by: 8e06c8b3da889899072d4ff051f3325fc4e4f58d Fixed by: 8616dc8b4f3bf0537cb316eb1465d213012d131f Fixed by: 2a32bbbfb118d68071bb0a107b20a5ffdfdc6808