libvirtd in privileged (root) mode runs qemu/kvm guests with a different user. It set owner/group of storage used by this guests to this user and group. In Debian this is libvirt-qemu:kvm. | brw-rw---T 1 libvirt-qemu kvm 254, 11 Feb 25 17:08 /dev/dm-11 | brw-rw---T 1 libvirt-qemu kvm 254, 12 Feb 25 17:50 /dev/dm-12 The kvm group is used for generic access control on /dev/kvm, so a lot of users may have access to this group. | crw-rw---T 1 root kvm 10, 232 Feb 25 18:04 kvm This allows write access to unrelated users to this storage. Affected is at least Debian Squeeze (0.8.3-5+squeeze2) and Debian experimental (1.0.1-2). References: http://bugs.debian.org/701649 http://seclists.org/oss-sec/2013/q1/440 http://seclists.org/oss-sec/2013/q1/447
Statement: Not vulnerable. This issue did not affect the versions of the libvirt package as shipped with Red Hat Enterprise Linux 5 and 6.
Other references: http://www.debian.org/security/2013/dsa-2650 http://www.securityfocus.com/bid/58178 http://secunia.com/advisories/52628