Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488532 (CVE-2013-4419) - <app-emulation/libguestfs-1.24.0: insecure handling of socket file (CVE-2013-4419)
Summary: <app-emulation/libguestfs-1.24.0: insecure handling of socket file (CVE-2013-...
Status: RESOLVED FIXED
Alias: CVE-2013-4419
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/125
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-18 21:50 UTC by Mikle Kolyada
Modified: 2014-03-08 13:16 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-18 21:50:40 UTC
from ${URL}:

As reported to the linux-distros mailing list:


libguestfs is a library for accessing and modifying guest disk images.
It was found that guestfish, which enables shell scripting and command
line access to libguestfs, insecurely created the temporary directory
used to store the network socket when started in server mode (using the
"--listen" option). If guestfish were run with the "--listen" option, a
local attacker could use this flaw to intercept and modify other users'
guestfish commands, allowing them to perform arbitrary guestfish actions
(such as modifying virtual machines) with the privileges of a different
user, or use this flaw to obtain authentication credentials.

This issue was discovered by Michael Scherer of the Red Hat Regional IT
team.

Further details are available in our bug, including the patch.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1016960
https://www.redhat.com/archives/libguestfs/2013-October/msg00031.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:00:34 UTC
CVE-2013-4419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4419):
  The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using
  the --remote or --listen option, does not properly check the ownership of
  /tmp/.guestfish-$UID/ when creating a temporary socket file in this
  directory, which allows local users to write to the socket and execute
  arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-03-08 13:16:50 UTC
Maintainer timeout. Cleanup done.