Bug 709769 (CVE-2011-2178)

Summary: CVE-2011-2178 libvirt: regression introduced in disk probe logic
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajia, eblake, weizhan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 17:38:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 709775, 709776, 709777    
Bug Blocks:    

Description Petr Matousek 2011-06-01 15:22:20 UTC
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager.  This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238.

Upstream patch:

Comment 2 Petr Matousek 2011-06-01 15:33:04 UTC
Created libvirt tracking bugs for this issue

Affects: fedora-15 [bug 709775]
Affects: fedora-rawhide [bug 709777]

Comment 3 Petr Matousek 2011-06-01 15:34:44 UTC

Not vulnerable. This issue did not affect the version of libvirt as shipped with Red Hat Enterprise Linux 5 and 6 as we did not backport upstream commit d6623003.

Comment 5 weizhang 2011-07-04 10:57:44 UTC
verify pass on

steps :
1. $ truncate --size=10M bottom.img
$ qemu-img create -f qcow2 -o backing_file=bottom.img middle.img
$ qemu-img create -f qcow2 -o backing_file=middle.img top.img

2. setenforce 0

3. prepare a guest and attach second disk with
  <disk type='block' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source dev='/path/to/top.img'/>
      <target dev='hdb' bus='ide'/>

4. start guest

5. see the bottom.img ownership
should be root:root while guest is running