| Reported on: | 20190604 |
|---|---|
| Published on: | 20190620 |
| Fixed on: | 20190620 |
| Reported by: | Matthias Gerstner |
|---|---|
| Patched by: | Ján Tomko |
The virDomainSaveImageGetXMLDesc accesses and parses arbitrary files without checking for the read-only connection. This allows unprivileged users to check for existence of arbitrary files or executing arbitrary binaries with elevated privileges.
The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can check for the existence of an arbitrary file by watching for a different error message. Additionally, since v1.2.19, by providing a crafted save file pointing to an arbitrary emulator, executing arbitrary binaries as the configured QEMU user is possible. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges.
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.
| Branch | master |
|---|---|
| Broken in: | v0.9.4 |
| Broken in: | v0.9.5 |
| Broken in: | v0.9.6 |
| Broken in: | v0.9.7 |
| Broken in: | v0.9.8 |
| Broken in: | v0.9.9 |
| Broken in: | v0.9.10 |
| Broken in: | v0.9.11 |
| Broken in: | v0.9.12 |
| Broken in: | v0.9.13 |
| Broken in: | v0.10.0 |
| Broken in: | v0.10.1 |
| Broken in: | v0.10.2 |
| Broken in: | v1.0.0 |
| Broken in: | v1.0.1 |
| Broken in: | v1.0.2 |
| Broken in: | v1.0.3 |
| Broken in: | v1.0.4 |
| Broken in: | v1.0.5 |
| Broken in: | v1.0.6 |
| Broken in: | v1.1.0 |
| Broken in: | v1.1.1 |
| Broken in: | v1.1.2 |
| Broken in: | v1.1.3 |
| Broken in: | v1.1.4 |
| Broken in: | v1.2.0 |
| Broken in: | v1.2.1 |
| Broken in: | v1.2.2 |
| Broken in: | v1.2.3 |
| Broken in: | v1.2.4 |
| Broken in: | v1.2.5 |
| Broken in: | v1.2.6 |
| Broken in: | v1.2.7 |
| Broken in: | v1.2.8 |
| Broken in: | v1.2.9 |
| Broken in: | v1.2.10 |
| Broken in: | v1.2.11 |
| Broken in: | v1.2.12 |
| Broken in: | v1.2.13 |
| Broken in: | v1.2.14 |
| Broken in: | v1.2.15 |
| Broken in: | v1.2.16 |
| Broken in: | v1.2.17 |
| Broken in: | v1.2.18 |
| Broken in: | v1.2.19 |
| Broken in: | v1.2.20 |
| Broken in: | v1.2.21 |
| Broken in: | v1.3.0 |
| Broken in: | v1.3.1 |
| Broken in: | v1.3.2 |
| Broken in: | v1.3.3 |
| Broken in: | v1.3.4 |
| Broken in: | v1.3.5 |
| Broken in: | v2.0.0 |
| Broken in: | v2.1.0 |
| Broken in: | v2.2.0 |
| Broken in: | v2.3.0 |
| Broken in: | v2.4.0 |
| Broken in: | v2.5.0 |
| Broken in: | v3.0.0 |
| Broken in: | v3.1.0 |
| Broken in: | v3.2.0 |
| Broken in: | v3.3.0 |
| Broken in: | v3.4.0 |
| Broken in: | v3.5.0 |
| Broken in: | v3.6.0 |
| Broken in: | v3.7.0 |
| Broken in: | v3.8.0 |
| Broken in: | v3.9.0 |
| Broken in: | v3.10.0 |
| Broken in: | v4.0.0 |
| Broken in: | v4.1.0 |
| Broken in: | v4.2.0 |
| Broken in: | v4.3.0 |
| Broken in: | v4.4.0 |
| Broken in: | v4.5.0 |
| Broken in: | v4.6.0 |
| Broken in: | v4.7.0 |
| Broken in: | v4.8.0 |
| Broken in: | v4.9.0 |
| Broken in: | v4.10.0 |
| Broken in: | v5.0.0 |
| Broken in: | v5.1.0 |
| Broken in: | v5.2.0 |
| Broken in: | v5.3.0 |
| Broken in: | v5.4.0 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | aed6a032cead4386472afb24b16196579e239580 |
| Branch | v0.9.6-maint |
|---|---|
| Broken in: | v0.9.6.1 |
| Broken in: | v0.9.6.2 |
| Broken in: | v0.9.6.3 |
| Broken in: | v0.9.6.4 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v0.9.11-maint |
|---|---|
| Broken in: | v0.9.11.1 |
| Broken in: | v0.9.11.2 |
| Broken in: | v0.9.11.3 |
| Broken in: | v0.9.11.4 |
| Broken in: | v0.9.11.5 |
| Broken in: | v0.9.11.6 |
| Broken in: | v0.9.11.7 |
| Broken in: | v0.9.11.8 |
| Broken in: | v0.9.11.9 |
| Broken in: | v0.9.11.10 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v0.9.12-maint |
|---|---|
| Broken in: | v0.9.12.1 |
| Broken in: | v0.9.12.2 |
| Broken in: | v0.9.12.3 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v0.10.2-maint |
|---|---|
| Broken in: | v0.10.2.1 |
| Broken in: | v0.10.2.2 |
| Broken in: | v0.10.2.3 |
| Broken in: | v0.10.2.4 |
| Broken in: | v0.10.2.5 |
| Broken in: | v0.10.2.6 |
| Broken in: | v0.10.2.7 |
| Broken in: | v0.10.2.8 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.3-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.4-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.5-maint |
|---|---|
| Broken in: | v1.0.5.1 |
| Broken in: | v1.0.5.2 |
| Broken in: | v1.0.5.3 |
| Broken in: | v1.0.5.4 |
| Broken in: | v1.0.5.5 |
| Broken in: | v1.0.5.6 |
| Broken in: | v1.0.5.7 |
| Broken in: | v1.0.5.8 |
| Broken in: | v1.0.5.9 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.0.6-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.1.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.1.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.1.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.1.3-maint |
|---|---|
| Broken in: | v1.1.3.1 |
| Broken in: | v1.1.3.2 |
| Broken in: | v1.1.3.3 |
| Broken in: | v1.1.3.4 |
| Broken in: | v1.1.3.5 |
| Broken in: | v1.1.3.6 |
| Broken in: | v1.1.3.7 |
| Broken in: | v1.1.3.8 |
| Broken in: | v1.1.3.9 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.1.4-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.3-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.4-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.5-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.6-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.7-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.8-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.9-maint |
|---|---|
| Broken in: | v1.2.9.1 |
| Broken in: | v1.2.9.2 |
| Broken in: | v1.2.9.3 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.10-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.11-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.12-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.13-maint |
|---|---|
| Broken in: | v1.2.13.1 |
| Broken in: | v1.2.13.2 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.14-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.15-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.16-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.17-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.18-maint |
|---|---|
| Broken in: | v1.2.18.1 |
| Broken in: | v1.2.18.2 |
| Broken in: | v1.2.18.3 |
| Broken in: | v1.2.18.4 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v1.2.19-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 4e16e7a3fc44a14f27eda23e75bae75992339b3a |
| Branch | v1.2.20-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 99ac102b8310adf50d16b62c533405eee6544cf2 |
| Branch | v1.2.21-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | fa2016e751452163aa2e93baa6c9bfc239e31885 |
| Branch | v1.3.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 470d6f5546fd027f9945845f6aad72f33c829be9 |
| Branch | v1.3.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 980109c41c8bb55fd105809f2e063667721feaea |
| Branch | v1.3.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 221397df7a5164bcc4d28f3157867db4894000d3 |
| Branch | v1.3.3-maint |
|---|---|
| Broken in: | v1.3.3.1 |
| Broken in: | v1.3.3.2 |
| Broken in: | v1.3.3.3 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | b22baef31258621b3bdb5036a84772bc6b6ec0a4 |
| Branch | v1.3.4-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | a8ae178438be285b91c4871251ad1482c4e396df |
| Branch | v1.3.5-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 70e83151456d386580708ade404ada41afac41dd |
| Branch | v2.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | a9e40f23207f464c322f4250b1373ff50ca71a85 |
| Branch | v2.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | dea40b42188e883c4118b02527f5c02a6fbbac59 |
| Branch | v2.2-maint |
|---|---|
| Broken in: | v2.2.1 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 97829dcb3889fd0a64ff32a72710303f59d7d5bf |
| Branch | v3.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | fb8c9f1305d108e5a43e83b72a86e41abfdeda86 |
| Branch | v3.2-maint |
|---|---|
| Broken in: | v3.2.1 |
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | ff5c64b94133b7b54e7359c63e1c2972531a4f5f |
| Branch | v3.7-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 8cf159fed436634a7607964eeecefee59be63b33 |
| Branch | v4.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 1f8129c5db3952a57900b8cd1d94e629068e6aa5 |
| Branch | v4.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 7312304ec0a50db539c6e1714f2c9b3a9e38daa7 |
| Branch | v4.3-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 8832b8a44f960229c5aa0a803d26c0ab4aa827af |
| Branch | v4.4-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | bafe00de3c62f3638e449ba62d4d88b56188bafe |
| Branch | v4.5-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 6a028b6e8228dd19283042e5edef3a45133630e8 |
| Branch | v4.6-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | a27659643b8ae9b26b52fc857cdc5b301184e26e |
| Branch | v4.7-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 3352c8af264a7b9b741208790ecca0bbc6733f42 |
| Branch | v4.8-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 56fadbbb25190d8ce0dcc54c550cc736a2fc5412 |
| Branch | v4.9-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c |
| Branch | v4.10-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 3572564893d1710beb1862797fe32cc2e9cb1e38 |
| Branch | v5.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 6aa0c85be9f840a32fcec282185b5ed2513a3aa5 |
| Branch | v5.1-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 111bb6555c5082ebba3de8e73a4e21a1573a5409 |
| Branch | v5.1.0-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Branch | v5.2-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | 3d9c8914663549e0cc0e822fa29b0a3a5bbc0fbd |
| Branch | v5.3-maint |
|---|---|
| Broken by: | d2a929d4b371a382d5508ae6bef80e392a34f8b9 |
| Fixed by: | dae676751cee86eaad880ee9c654823ce0e021ad |