Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1541444 - (CVE-2018-6764) CVE-2018-6764 libvirt: guest could inject executable code via libnss_dns.so loaded by libvirt_lxc before init
CVE-2018-6764 libvirt: guest could inject executable code via libnss_dns.so l...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180205,repor...
: Security
Depends On: 1542814 1542815 1542816 1589061
Blocks: 1541446
  Show dependency treegraph
 
Reported: 2018-02-02 10:13 EST by Pedro Sampaio
Modified: 2018-10-30 03:42 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 None None None 2018-10-30 03:42 EDT

  None (edit)
Description Pedro Sampaio 2018-02-02 10:13:11 EST 
libvirt_lxc resolves a host name after the guest filesystem is mounted but before the init from it is executed. That in turn causes glibc to load libnss_dns.so and it ends up being loaded from the guest tree, making it possible for the guest to inject executable code before the host filesystem is umounted and file handles closed. That has potential security implications.
Comment 1 Prasad J Pandit 2018-02-06 23:32:17 EST 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1542815]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1542814]
Comment 3 Daniel Berrange 2018-02-08 11:05:18 EST 
Upsptream fix is in git as:

commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
Author: Lubomir Rintel <lkundrak@v3.sk>
Date:   Sat Jan 27 23:43:58 2018 +0100

    virlog: determine the hostname on startup CVE-2018-6764
    
    At later point it might not be possible or even safe to use getaddrinfo(). It
    can in turn result in a load of NSS module.
    
    Notably, on a LXC container startup we may find ourselves with the guest
    filesystem already having replaced the host one. Loading a NSS module
    from the guest tree would allow a malicous guest to escape the
    confinement of its container environment because libvirt will not yet
    have locked it down.
Comment 4 Fedora Update System 2018-03-01 11:23:41 EST 
libvirt-3.7.0-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2018-10-30 03:42:18 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3113 https://access.redhat.com/errata/RHSA-2018:3113
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.