Bug 956082 - (CVE-2013-2007) CVE-2013-2007 qemu: guest agent creates files with insecure permissions in deamon mode
CVE-2013-2007 qemu: guest agent creates files with insecure permissions in de...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130506,repor...
: Security
Depends On: 953932 957056 969455 969456 970643 974444 983566 983567
Blocks: 956105 969452
  Show dependency treegraph
 
Reported: 2013-04-24 05:30 EDT by Petr Matousek
Modified: 2016-04-26 10:05 EDT (History)
43 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-04 10:11:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
[PATCH] qga: set umask 0077 when daemonizing (1.13 KB, patch)
2013-04-24 07:19 EDT, Laszlo Ersek
no flags Details | Diff

  None (edit)
Description Petr Matousek 2013-04-24 05:30:47 EDT
The upstream qemu guest agent creates files with insecure permissions when started in daemon mode, which could potentially lead local privilege escalation.

The Red Hat Enterprise Linux 6 qemu-ga, when started in daemon mode, creates logfiles in /var/log/ world writable allowing any one on the system to wipe the contents of the log file or to store data within the log file. An unprivileged guest user could use this flaw to consume all free space on the partition
with qemu-ga log file, or modify the contents of the log. When a UNIX domain socket transport were explicitly configured to be used (non-default), an unprivileged guest user could potentially use this flaw to escalate their privileges in the guest.

Acknowledgements:

This issue was discovered by Laszlo Ersek of Red Hat.
Comment 2 Petr Matousek 2013-04-24 05:41:13 EDT
Statement:

This issue does not affect the kvm package as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the xen package as shipped with Red Hat Enterprise Linux 5.

This issue does affect the qemu-kvm package as shipped with Red Hat Enterprise Linux 6. Future qemu-kvm updates in Red Hat Enterprise Linux 6 may address this flaw.

Please note that due to differences in upstream and Red Hat Enterprise Linux 6 versions of qemu guest agent this issue has lower security impact on systems running Red Hat Enterprise Linux 6.
Comment 6 Laszlo Ersek 2013-04-24 07:19:57 EDT
Created attachment 739402 [details]
[PATCH] qga: set umask 0077 when daemonizing

The qemu guest agent creates a bunch of files with insecure permissions
when started in daemon mode. For example:

  -rw-rw-rw- 1 root root /var/log/qemu-ga.log
  -rw-rw-rw- 1 root root /var/run/qga.state
  -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log

In addition, at least all files created with the "guest-file-open" QMP
command, and all files created with shell output redirection (or
otherwise) by utilities invoked by the fsfreeze hook script.

For now clear all file mode premissions for "group" and "others".

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 qga/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Comment 12 Petr Matousek 2013-05-31 09:02:58 EDT
Created qemu tracking bugs for this issue

Affects: fedora-all [bug 969455]
Comment 13 Petr Matousek 2013-05-31 09:03:57 EDT
Created xen tracking bugs for this issue

Affects: fedora-all [bug 969456]
Comment 14 errata-xmlrpc 2013-06-03 13:31:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0896 https://rhn.redhat.com/errata/RHSA-2013-0896.html
Comment 15 errata-xmlrpc 2013-06-03 13:33:14 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0791 https://rhn.redhat.com/errata/RHSA-2013-0791.html

Note You need to log in before you can comment on or make changes to this bug.