A path traversal vulnerability allowing libvirtd process to write arbitrary files on file system using root permissions was found. The user with storage_vol:create ACL permission can exploit this vulnerability without the need of having write access to the libvirtd connection (domain:write permission).
Created attachment 1103765 [details]
Issue is now public:
This issue is not considered to have any security impact on libvirt versions as shipped with Red Hat Enterprise Linux 6 and earlier. In those versions, this can only be exploited by privileged libvirtd users, who are already root equivalent. In libvirt 1.1.0 and later, i.e. also in libvirt version in Red Hat Enterprise Linux 7, it is possible to grant finer grained privileges and hence grant user privilege to create storage volumes without allowing them to create or modify domains. In configurations using such ACL setttings, this may allow privilege escalation.
Lowering impact rating to Moderate as this is limited to specific non-default configurations.
Created libvirt tracking bugs for this issue:
Affects: fedora-all [bug 1291433]
This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux version 7 and Red Hat Gluster Storage 3.1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
libvirt-126.96.36.199-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libvirt-188.8.131.52-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2577 https://rhn.redhat.com/errata/RHSA-2016-2577.html