Libvirt Security Notice: LSN-2013-0014

virt-login-shell fails to secure setuid environment

Lifecycle

Reported on: 20131002
Published on: 20131021
Fixed on: 20131021

Credits

Reported by: Sebastian Krahmer
Patched by: Daniel Berrange

See also

Description

The virt-login-shell binary is a setuid program to connect to LXC containers. It fails to sanitize its environment in a number of places allowing it to be used to elevate privileges of the invoking user by overwriting files

Impact

An unprivileged user can overwrite arbitrary files on the host leading to an elevation of privileges.

Workaround

Remove the setuid bit from the virt-login-shell binary

Affected product: libvirt

Branch master
Broken in: v1.1.2
Broken in: v1.1.3
Fixed in: v1.1.4
Broken by: 54d69f540c9928da98f10202b3f21b7abb00bac1
Fixed by: 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
Fixed by: b7fcc799ad5d8f3e55b89b94e599903e3c092467
Fixed by: 3e2f27e13b94f7302ad948bcacb5e02c859a25fc
Branch v1.1.2-maint
Broken by: 54d69f540c9928da98f10202b3f21b7abb00bac1
Fixed by: bd047ba666122fd57f6cb39ac5795449d5ff26d2
Fixed by: 9ab478edaddd00708adc9ff99d5a48e3accecfe5
Fixed by: 31a3086d735b6291795941972b5d6da335cc6aab
Branch v1.1.3-maint
Fixed in: v1.1.3.1
Broken by: 54d69f540c9928da98f10202b3f21b7abb00bac1
Fixed by: d8accf54e310b90bd8794edd2d6d1f7d74bb421d
Fixed by: 6fc87e07a22587b9f38845ce1a0d6db1c7483fe9
Fixed by: 062ad8b2beac2316a3b1e304668ea852e70ea506

Alternative formats: [xml] [text]