Bug 709769 - (CVE-2011-2178) CVE-2011-2178 libvirt: regression introduced in disk probe logic
CVE-2011-2178 libvirt: regression introduced in disk probe logic
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110531,reported=20110526,sou...
: Security
Depends On: 709775 709776 709777
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-01 11:22 EDT by Petr Matousek
Modified: 2013-04-11 13:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-11 13:38:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2011-06-01 11:22:20 EDT
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager.  This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238.

Upstream patch:
https://www.redhat.com/archives/libvir-list/2011-May/msg01935.html
Comment 2 Petr Matousek 2011-06-01 11:33:04 EDT
Created libvirt tracking bugs for this issue

Affects: fedora-15 [bug 709775]
Affects: fedora-rawhide [bug 709777]
Comment 3 Petr Matousek 2011-06-01 11:34:44 EDT
Statement:

Not vulnerable. This issue did not affect the version of libvirt as shipped with Red Hat Enterprise Linux 5 and 6 as we did not backport upstream commit d6623003.
Comment 5 weizhang 2011-07-04 06:57:44 EDT
verify pass on
kernel-2.6.32-156.el6.x86_64
qemu-kvm-0.12.1.2-2.165.el6.x86_64
libvirt-0.9.2-1.el6.x86_64

steps :
1. $ truncate --size=10M bottom.img
$ qemu-img create -f qcow2 -o backing_file=bottom.img middle.img
$ qemu-img create -f qcow2 -o backing_file=middle.img top.img

2. setenforce 0

3. prepare a guest and attach second disk with
  <disk type='block' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source dev='/path/to/top.img'/>
      <target dev='hdb' bus='ide'/>
  </disk>

4. start guest

5. see the bottom.img ownership
should be root:root while guest is running

Note You need to log in before you can comment on or make changes to this bug.