831117 – (CVE-2012-2690) CVE-2012-2690 libguestfs: virt-edit creates a new file, when it is used leading to loss of file attributes (permissions, owner, SELinux context etc.)

Bug 831117 (CVE-2012-2690) - CVE-2012-2690 libguestfs: virt-edit creates a new file, when it is used leading to loss of file attributes (permissions, owner, SELinux context etc.)

Summary: CVE-2012-2690 libguestfs: virt-edit creates a new file, when it is used leadi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-2690
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	788642
Blocks:	784298 831125
TreeView+	depends on / blocked

Reported:	2012-06-12 08:52 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-21 03:58:22 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0774	0	normal	SHIPPED_LIVE	Low: libguestfs security, bug fix, and enhancement update	2012-06-19 19:29:50 UTC

Description Jan Lieskovsky 2012-06-12 08:52:58 UTC

A security flaw was found in the way virt-edit tool of libguestfs, a library for accessing and modifying guest disk images, performed file editing in a virtual machine (new file was created, when original file was used leading to loss of attributes likes file permissions, file owner or SELinux context for the edited file). If certain sensitive files were edited using virt-edit, they would become world-readable.

References:
[1] http://www.openwall.com/lists/oss-security/2012/06/11/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=788642
[3] https://www.redhat.com/archives/libguestfs/2012-February/msg00033.html

Proposed upstream patch:
[4] https://www.redhat.com/archives/libguestfs/2012-February/msg00034.html

Comment 1 Jan Lieskovsky 2012-06-12 08:54:55 UTC

This issue affects the version of the libguestfs package, as shipped
with Red Hat Enterprise Linux 6.

Comment 5 errata-xmlrpc 2012-06-20 07:02:02 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0774 https://rhn.redhat.com/errata/RHSA-2012-0774.html

Comment 7 Richard W.M. Jones 2012-06-22 15:38:59 UTC

We will fix this for EPEL 5.  I'm going to push a massively
updated libguestfs package to EPEL 5 next week.

Note You need to log in before you can comment on or make changes to this bug.