Summary: | <app-emulation/libvirt-1.2.21-r1: filesystem storage volume names path traversal flaw (CVE-2015-5313) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cardoe, tamiko, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1277121 | ||
Whiteboard: | B4 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-12-20 13:13:23 UTC
tamiko: If you get to this before I fix my Gentoo committing machine, 1.3.0 does not have this fix. Its a post 1.3.0 fix so when you bump to 1.3.0 just make sure to grab the patch. Arches, please stabilize app-emulation/libvirt-1.2.21-r1 Target-keywords: amd64, x86 @Doug: I will wait for a bump for 1.3.0 for a tagged minor version bump from upstream (containing the patch). commit 7230e64625a7b356b43335ce7cadb321a0b7cb16 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Dec 22 00:13:56 2015 -0600 app-emulation/libvirt: remove vuln. 1.2.(20|21) (CVE-2015-5313, bug #568870) This is a cleanup for CVE-2015-5313 bug 568870. Gentoo-Bugs: 568870 Package-Manager: portage-2.2.26 commit c8308f11262b27472963c980f11f980f795f3d52 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Dec 22 00:12:19 2015 -0600 dev-python/libvirt-python: remove 1.2.20 and 1.2.21 (bug #568870) This is a cleanup for CVE-2015-5313 bug 568870. Gentoo-Bugs: 568870 Package-Manager: portage-2.2.26 commit 6420c69559c3b40f127215bb0c3e8a8556b6fefa Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Dec 22 00:09:46 2015 -0600 app-emulation/libvirt: security fix for 1.2.21 (CVE-2015-5313, bug #568870) Apply fix for CVE-2015-5313 to 1.2.21: A path-traversal flaw was found in the way the libvirt daemon handled file-system names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. Gentoo-Bug: 568870 Package-Manager: portage-2.2.26 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. commit fee80067dca04cacb1a09290044fcbbadfdbd3cb Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Dec 22 10:07:19 2015 -0600 app-emulation/libvirt: remove vulnerable 1.2.18 (CVE-2015-5313, bug #568870) This is a cleanup for CVE-2015-5313 bug 568870. Gentoo-Bugs: 568870 Package-Manager: portage-2.2.26 commit ad61c216ab0aca87770e18351b4f478ce97d259c Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Dec 22 10:08:45 2015 -0600 dev-python/libvirt-python: remove 1.2.18 (bug #568870) This is a cleanup for CVE-2015-5313 bug 568870. Gentoo-Bugs: 568870 Package-Manager: portage-2.2.26 Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes New GLSA Request filed. This issue was resolved and addressed in GLSA 201612-10 at https://security.gentoo.org/glsa/201612-10 by GLSA coordinator Aaron Bauman (b-man). |