libguestfs is a library for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode (using the "--listen" option). If guestfish were run with the "--listen" option, a local attacker could use this flaw to intercept and modify other users' guestfish commands, allowing them to perform arbitrary guestfish actions (such as modifying virtual machines) with the privileges of a different user, or use this flaw to obtain authentication credentials. Acknowledgements: This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
Created attachment 809855 [details] fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket Semi-related code cleanup.
Created attachment 809857 [details] fish: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). This is the meat of the fix: check that the directory that we create (a) is a directory (b) has the right mode (c) has the right owner.
Created attachment 809858 [details] fish: Move the guestfish socket from /tmp/.guestfish-$UID to /run/user/$UID. I'm probably not going to apply this third part because: - Can we be sure that /run/user/$UID always has mode 0700? - /run/user is entirely missing on Debian Wheezy - It seems to be safe to create the socket in /tmp now that we're doing all the checks -- the worst that could happen is a poor denial of service attack by a local user who is immediately visible.
BTW I'm happy to publish this fix as soon as possible. It is low impact.
To answer comment #5, what about using $XDG_RUNTIME_DIR ( cf man pam_systemd, this is "Path to a user-private user-writable directory that is bound to the user login time on the machine" ), and fall back to /tmp if it doesn't exist ? ( with $XDG_RUNTIME_DIR being /run/user/$uid/ , as set by the pam module ) This will cover the case of non-systemd system, ie debian wheezy among other, while still using proper directory for newer system, and this could be cleaned later once we decide to stop supporting older system ?
Created attachment 811007 [details] fish: CVE-2013-4419: Fix insecure temporary directory handling for remote guestfish (RHBZ#1016960). Version 2 of proposed patch. Note also that "fish: Use UNIX_PATH_MAX instead of hard-coded value for max length of socket" which is really an unrelated code cleanup has gone upstream already.
FYI the public announcement is going out today at 12:00 UTC, unless anyone says otherwise in ~ the next 3 hours ...
This issue is now public: https://www.redhat.com/archives/libguestfs/2013-October/msg00031.html
Created libguestfs tracking bugs for this issue: Affects: fedora-all [bug 1020535]
Created libguestfs tracking bugs for this issue: Affects: epel-5 [bug 1020950]
libguestfs-1.20.12-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libguestfs-1.22.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libguestfs-1.24.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1536 https://rhn.redhat.com/errata/RHSA-2013-1536.html
libguestfs-1.20.12-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.