Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 465564

Summary: app-emulation/libvirt: device file write vulnerability (CVE-2013-1766)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: cardoe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 17:55:04 UTC 
CVE-2013-1766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1766):
  libvirt 1.0.2 and earlier sets the group owner to kvm for device files,
  which allows local users to write to these files via unspecified vectors.
Comment 1 Agostino Sarubbo gentoo-dev 2013-04-11 17:59:02 UTC 
I didn't file this bug because after talk with Cardoe on irc, it seems to be invalid on gentoo. Here the vms are owned by qemu:qemu
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2013-04-12 05:06:34 UTC 
This isn't an upstream bug but a Debian specific bug since they tried to save on creating an extra group and instead shared a group.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-12 11:12:26 UTC 
(In reply to comment #2)
> This isn't an upstream bug but a Debian specific bug since they tried to
> save on creating an extra group and instead shared a group.

Thanks for the info, Doug.