Bug 720773 (CVE-2011-2527)
| Summary: | CVE-2011-2527 qemu: when started as root, extra groups are not dropped correctly | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | amit.shah, berrange, dwmw2, ehabkost, extras-orphan, itamar, jaswinder, jforbes, knoel, lcapitulino, mkenneth, mtosatti, pmatouse, scottt.tw, shu, tburke, virt-maint, virt-maint | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Cause: qemu did not properly drop extra group privileges when started as root with the -runas commandline option.
Consequence: extra GID's would give qemu elevated privileges to read or write files that the supplementary groups allowed, because qemu is still running with group root privileges.
Fix: Added an initgroups(3) call to use the -runas user's /etc/groups membership to update the supplementary group IDs.
Result: extra group privileges are now properly dropped when using -runas.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-06-12 18:38:29 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 720784, 720785, 722582, 722583 | ||||||
| Bug Blocks: | 720787 | ||||||
| Attachments: |
|
||||||
|
Description
Vincent Danen
2011-07-12 18:11:34 UTC
A proposed patch is available here: https://bugs.launchpad.net/qemu/+bug/807893/comments/1 This also only affects qemu versions greater than 0.10.0 (where the -runas option was introduced). Created qemu tracking bugs for this issue Affects: fedora-all [bug 720784] Affects: epel-5 [bug 720785] Created attachment 513239 [details]
upstream patch
Commit cc4662f9642995c78bed587707eeb9ad8500035b from upstream to fix the flaw.
Statement: Future qemu-kvm updates in Red Hat Enterprise Linux 6 may address this flaw. This issue did not affect the versions of qemu-kvm as shipped with Red Hat Enterprise Linux 5 as it did not include support for "run as" functionality.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: qemu did not properly drop extra group privileges when started as root with the -runas commandline option.
Consequence: extra GID's would give qemu elevated privileges to read or write files that the supplementary groups allowed, because qemu is still running with group root privileges.
Fix: Added an initgroups(3) call to use the -runas user's /etc/groups membership to update the supplementary group IDs.
Result: extra group privileges are now properly dropped when using -runas.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1531 https://rhn.redhat.com/errata/RHSA-2011-1531.html qemu-0.14.0-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |