Bug 915718 – CVE-2013-1766 libvirt: kvm-group writable storage

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 915718 - (CVE-2013-1766) CVE-2013-1766 libvirt: kvm-group writable storage

Summary:	CVE-2013-1766 libvirt: kvm-group writable storage

Status:	CLOSED NOTABUG

Aliases:	CVE-2013-1766

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20130225,repor...
Keywords:	Security

Depends On:
Blocks:	915719
	Show dependency tree / graph

Reported:	2013-02-26 06:25 EST by Petr Matousek
Modified:	2015-07-31 02:58 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-26 06:26:53 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Petr Matousek 2013-02-26 06:25:12 EST

libvirtd in privileged (root) mode runs qemu/kvm guests with a different
user. It set owner/group of storage used by this guests to this user and
group. In Debian this is libvirt-qemu:kvm.

| brw-rw---T 1 libvirt-qemu kvm  254, 11 Feb 25 17:08 /dev/dm-11
| brw-rw---T 1 libvirt-qemu kvm  254, 12 Feb 25 17:50 /dev/dm-12

The kvm group is used for generic access control on /dev/kvm, so a lot
of users may have access to this group.

| crw-rw---T 1 root kvm 10, 232 Feb 25 18:04 kvm

This allows write access to unrelated users to this storage.

Affected is at least Debian Squeeze (0.8.3-5+squeeze2) and Debian
experimental (1.0.1-2).

References:
http://bugs.debian.org/701649
http://seclists.org/oss-sec/2013/q1/440
http://seclists.org/oss-sec/2013/q1/447

Comment 1 Petr Matousek 2013-02-26 06:26:29 EST

Statement:

Not vulnerable.

This issue did not affect the versions of the libvirt package as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 2 Jan Lieskovsky 2013-03-20 11:37:14 EDT

Other references:
  http://www.debian.org/security/2013/dsa-2650
  http://www.securityfocus.com/bid/58178
  http://secunia.com/advisories/52628

Note You need to log in before you can comment on or make changes to this bug.