Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568870 (CVE-2015-5313) - <app-emulation/libvirt-1.2.21-r1: filesystem storage volume names path traversal flaw (CVE-2015-5313)
Summary: <app-emulation/libvirt-1.2.21-r1: filesystem storage volume names path traver...
Status: RESOLVED FIXED
Alias: CVE-2015-5313
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-20 13:13 UTC by Agostino Sarubbo
Modified: 2016-12-04 11:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-20 13:13:23 UTC
From ${URL} :

A path traversal vulnerability allowing libvirtd process to write arbitrary files on file system using 
root permissions was found. The user with storage_vol:create ACL permission can exploit this vulnerability 
without the need of having write access to the libvirtd connection (domain:write permission).

commit fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2015-12-21 03:18:58 UTC
tamiko: If you get to this before I fix my Gentoo committing machine, 1.3.0 does not have this fix. Its a post 1.3.0 fix so when you bump to 1.3.0 just make sure to grab the patch.
Comment 2 Matthias Maier gentoo-dev 2015-12-22 06:22:47 UTC
Arches, please stabilize

  app-emulation/libvirt-1.2.21-r1

Target-keywords: amd64, x86




@Doug: I will wait for a bump for 1.3.0 for a tagged minor version bump from upstream (containing the patch).




commit 7230e64625a7b356b43335ce7cadb321a0b7cb16
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Dec 22 00:13:56 2015 -0600

    app-emulation/libvirt: remove vuln. 1.2.(20|21) (CVE-2015-5313, bug #568870)
    
        This is a cleanup for CVE-2015-5313 bug 568870.
    
        Gentoo-Bugs: 568870
    
    Package-Manager: portage-2.2.26

commit c8308f11262b27472963c980f11f980f795f3d52
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Dec 22 00:12:19 2015 -0600

    dev-python/libvirt-python: remove 1.2.20 and 1.2.21 (bug #568870)
    
    This is a cleanup for CVE-2015-5313 bug 568870.
    
    Gentoo-Bugs: 568870
    
    Package-Manager: portage-2.2.26

commit 6420c69559c3b40f127215bb0c3e8a8556b6fefa
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Dec 22 00:09:46 2015 -0600

    app-emulation/libvirt: security fix for 1.2.21 (CVE-2015-5313, bug #568870)
    
    Apply fix for CVE-2015-5313 to 1.2.21:
      A path-traversal flaw was found in the way the libvirt daemon handled
      file-system names for storage volumes. A libvirt user with privileges to
      create storage volumes and without privileges to create and modify
      domains could possibly use this flaw to escalate their privileges.
    
    Gentoo-Bug: 568870
    
    Package-Manager: portage-2.2.26
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-22 09:01:21 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-22 09:08:14 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Matthias Maier gentoo-dev 2015-12-22 16:16:18 UTC
commit fee80067dca04cacb1a09290044fcbbadfdbd3cb
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Dec 22 10:07:19 2015 -0600

    app-emulation/libvirt: remove vulnerable 1.2.18 (CVE-2015-5313, bug #568870)
    
    This is a cleanup for CVE-2015-5313 bug 568870.
    
    Gentoo-Bugs: 568870
    
    Package-Manager: portage-2.2.26

commit ad61c216ab0aca87770e18351b4f478ce97d259c
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Dec 22 10:08:45 2015 -0600

    dev-python/libvirt-python: remove 1.2.18 (bug #568870)
    
    This is a cleanup for CVE-2015-5313 bug 568870.
    
    Gentoo-Bugs: 568870
    
    Package-Manager: portage-2.2.26
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-12-24 05:14:01 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: Yes

New GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-12-04 11:18:30 UTC
This issue was resolved and addressed in
 GLSA 201612-10 at https://security.gentoo.org/glsa/201612-10
by GLSA coordinator Aaron Bauman (b-man).