Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 241146 (CVE-2008-4405)

Summary: app-emulation/libvirt privilege escalation (CVE-2008-4405,CVE-2008-5716)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: rbu, xen
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-10 19:29:44 UTC 
CVE-2008-4405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4405):
  libvirt 0.3.3 relies on files located under subdirectories of
  /local/domain in xenstore despite lack of protection against
  modification by Xen guest virtual machines, which allows guest OS
  users to have an unspecified impact, as demonstrated by writing to
  (1) the text console (console/tty) or (2) the VNC port for the
  graphical framebuffer.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 19:51:49 UTC 
The patch is incomplete, as noted here:
http://thread.gmane.org/gmane.comp.security.oss.general/1344/

This incomplete patch has been assigned CVE-2008-5716.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 19:52:36 UTC 
*** Bug 252731 has been marked as a duplicate of this bug. ***
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2009-05-27 22:50:41 UTC 
Can this be closed? the oldest version in the tree is 0.4.6
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2009-06-09 13:36:19 UTC 
Oldest version in the tree is now 0.6.3. Looking for some follow up from the security team since it's their bug.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 06:33:19 UTC 
Closing noglsa, as it never had a stable version.