Bug 1277121 - (CVE-2015-5313) CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw
CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151211,repor...
: Reopened, Security
Depends On: 1292585 1291035 1291433
Blocks: 1277124
  Show dependency treegraph
 
Reported: 2015-11-02 07:21 EST by Adam Mariš
Modified: 2016-11-14 23:48 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-17 18:43:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (2.24 KB, patch)
2015-12-08 19:57 EST, Eric Blake
no flags Details | Diff

  None (edit)
Description Adam Mariš 2015-11-02 07:21:11 EST
A path traversal vulnerability allowing libvirtd process to write arbitrary files on file system using root permissions was found. The user with storage_vol:create ACL permission can exploit this vulnerability without the need of having write access to the libvirtd connection (domain:write permission).
Comment 3 Eric Blake 2015-12-08 19:57 EST
Created attachment 1103765 [details]
proposed patch
Comment 4 Eric Blake 2015-12-11 19:01:51 EST
Issue is now public:
https://www.redhat.com/archives/libvir-list/2015-December/msg00473.html
Comment 6 Tomas Hoger 2015-12-14 15:44:41 EST
This issue is not considered to have any security impact on libvirt versions as shipped with Red Hat Enterprise Linux 6 and earlier.  In those versions, this can only be exploited by privileged libvirtd users, who are already root equivalent.  In libvirt 1.1.0 and later, i.e. also in libvirt version in Red Hat Enterprise Linux 7, it is possible to grant finer grained privileges and hence grant user privilege to create storage volumes without allowing them to create or modify domains.  In configurations using such ACL setttings, this may allow privilege escalation.

Lowering impact rating to Moderate as this is limited to specific non-default configurations.
Comment 7 Tomas Hoger 2015-12-14 15:58:59 EST
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1291433]
Comment 9 Kurt Seifried 2015-12-17 18:43:43 EST
Statement:

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux version 7 and Red Hat Gluster Storage 3.1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Fedora Update System 2015-12-28 17:53:03 EST
libvirt-1.2.18.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-01-07 22:25:12 EST
libvirt-1.2.13.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2016-11-03 14:29:25 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2577 https://rhn.redhat.com/errata/RHSA-2016-2577.html

Note You need to log in before you can comment on or make changes to this bug.