oss-sec mailing list archives

CVE request: libvirt kvm-group writable storage

From: Bastian Blank <waldi () debian org>
Date: Mon, 25 Feb 2013 20:36:19 +0100

Hi

libvirtd in privileged (root) mode runs qemu/kvm guests with a different
user. It set owner/group of storage used by this guests to this user and
group. In Debian this is libvirt-qemu:kvm.

| brw-rw---T 1 libvirt-qemu kvm  254, 11 Feb 25 17:08 /dev/dm-11
| brw-rw---T 1 libvirt-qemu kvm  254, 12 Feb 25 17:50 /dev/dm-12

The kvm group is used for generic access control on /dev/kvm, so a lot
of users may have access to this group.

| crw-rw---T 1 root kvm 10, 232 Feb 25 18:04 kvm

This allows write access to unrelated users to this storage.

Affected is at least Debian Squeeze (0.8.3-5+squeeze2) and Debian
experimental (1.0.1-2). Reference is http://bugs.debian.org/701649

Please assign a CVE.

Bastian

-- 
Oh, that sound of male ego.  You travel halfway across the galaxy and
it's still the same song.
                -- Eve McHuron, "Mudd's Women", stardate 1330.1

Current thread:

CVE request: libvirt kvm-group writable storage Bastian Blank (Feb 25)
- Re: CVE request: libvirt kvm-group writable storage Kurt Seifried (Feb 25)