Bug 1277121 (CVE-2015-5313) - CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw
Summary: CVE-2015-5313 libvirt: filesystem storage volume names path traversal flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1291035 1291433 1292585
Blocks: 1277124
TreeView+ depends on / blocked
 
Reported: 2015-11-02 12:21 UTC by Adam Mariš
Modified: 2021-02-17 04:45 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:02 UTC

Attachments (Terms of Use)
proposed patch (2.24 KB, patch)
2015-12-09 00:57 UTC, Eric Blake 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2577 0 normal SHIPPED_LIVE Moderate: libvirt security, bug fix, and enhancement update 2016-11-03 12:07:06 UTC

Description Adam Mariš 2015-11-02 12:21:11 UTC 
A path traversal vulnerability allowing libvirtd process to write arbitrary files on file system using root permissions was found. The user with storage_vol:create ACL permission can exploit this vulnerability without the need of having write access to the libvirtd connection (domain:write permission).
Comment 3 Eric Blake 2015-12-09 00:57:33 UTC 
Created attachment 1103765 [details]
proposed patch
Comment 4 Eric Blake 2015-12-12 00:01:51 UTC 
Issue is now public:
https://www.redhat.com/archives/libvir-list/2015-December/msg00473.html
Comment 6 Tomas Hoger 2015-12-14 20:44:41 UTC 
This issue is not considered to have any security impact on libvirt versions as shipped with Red Hat Enterprise Linux 6 and earlier.  In those versions, this can only be exploited by privileged libvirtd users, who are already root equivalent.  In libvirt 1.1.0 and later, i.e. also in libvirt version in Red Hat Enterprise Linux 7, it is possible to grant finer grained privileges and hence grant user privilege to create storage volumes without allowing them to create or modify domains.  In configurations using such ACL setttings, this may allow privilege escalation.

Lowering impact rating to Moderate as this is limited to specific non-default configurations.
Comment 7 Tomas Hoger 2015-12-14 20:58:59 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1291433]
Comment 9 Kurt Seifried 2015-12-17 23:43:43 UTC 
Statement:

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux version 7 and Red Hat Gluster Storage 3.1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Fedora Update System 2015-12-28 22:53:03 UTC 
libvirt-1.2.18.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-01-08 03:25:12 UTC 
libvirt-1.2.13.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2016-11-03 18:29:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2577 https://rhn.redhat.com/errata/RHSA-2016-2577.html
Note You need to log in before you can comment on or make changes to this bug.