Bug 1277121 (CVE-2015-5313)

Summary: CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, berrange, carnil, eblake, jdenemar, jsuchane, knoel, nlevinki, pkrempa, rfortier, security-response-team, sgirijan, sisharma, slawomir, slong, ssaha, vbellur
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:45:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1291035, 1291433, 1292585    
Bug Blocks: 1277124    
Description Flags
proposed patch none

Description Adam Mariš 2015-11-02 12:21:11 UTC
A path traversal vulnerability allowing libvirtd process to write arbitrary files on file system using root permissions was found. The user with storage_vol:create ACL permission can exploit this vulnerability without the need of having write access to the libvirtd connection (domain:write permission).

Comment 3 Eric Blake 2015-12-09 00:57:33 UTC
Created attachment 1103765 [details]
proposed patch

Comment 4 Eric Blake 2015-12-12 00:01:51 UTC
Issue is now public:

Comment 6 Tomas Hoger 2015-12-14 20:44:41 UTC
This issue is not considered to have any security impact on libvirt versions as shipped with Red Hat Enterprise Linux 6 and earlier.  In those versions, this can only be exploited by privileged libvirtd users, who are already root equivalent.  In libvirt 1.1.0 and later, i.e. also in libvirt version in Red Hat Enterprise Linux 7, it is possible to grant finer grained privileges and hence grant user privilege to create storage volumes without allowing them to create or modify domains.  In configurations using such ACL setttings, this may allow privilege escalation.

Lowering impact rating to Moderate as this is limited to specific non-default configurations.

Comment 7 Tomas Hoger 2015-12-14 20:58:59 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1291433]

Comment 9 Kurt Seifried 2015-12-17 23:43:43 UTC

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux version 7 and Red Hat Gluster Storage 3.1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Fedora Update System 2015-12-28 22:53:03 UTC
libvirt- has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2016-01-08 03:25:12 UTC
libvirt- has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2016-11-03 18:29:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2577 https://rhn.redhat.com/errata/RHSA-2016-2577.html