(CVE-2012-2690) CVE-2012-2690 libguestfs: virt-edit creates a new file, when it is used leading to loss of file attributes (permissions, owner, SELinux context etc.)

Bug #1012259 reported by Karma Dorje on 2012-06-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gentoo Linux
Unknown
Unknown
libguestfs (Fedora)
Fix Released
Low
libguestfs (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

A security flaw was found in the way virt-edit tool of libguestfs, a library for accessing and modifying guest disk images, performed file editing in a virtual machine (new file was created, when original file was used leading to loss of attributes likes file permissions, file owner or SELinux context for the edited file). If certain sensitive files were edited using virt-edit, they would become world-readable.

References:
[1] http://www.openwall.com/lists/oss-security/2012/06/11/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=788642
[3] https://www.redhat.com/archives/libguestfs/2012-February/msg00033.html

Proposed upstream patch:
[4] https://www.redhat.com/archives/libguestfs/2012-February/msg00034.html

CVE References

A security flaw was found in the way virt-edit tool of libguestfs, a library for accessing and modifying guest disk images, performed file editing in a virtual machine (new file was created, when original file was used leading to loss of attributes likes file permissions, file owner or SELinux context for the edited file). If certain sensitive files were edited using virt-edit, they would become world-readable.

References:
[1] http://www.openwall.com/lists/oss-security/2012/06/11/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=788642
[3] https://www.redhat.com/archives/libguestfs/2012-February/msg00033.html

Proposed upstream patch:
[4] https://www.redhat.com/archives/libguestfs/2012-February/msg00034.html

This issue affects the version of the libguestfs package, as shipped
with Red Hat Enterprise Linux 6.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0774 https://rhn.redhat.com/errata/RHSA-2012-0774.html

Karma Dorje (taaroa) on 2012-06-22
visibility: private → public

We will fix this for EPEL 5. I'm going to push a massively
updated libguestfs package to EPEL 5 next week.

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in libguestfs (Ubuntu):
status: New → Triaged
Dimitri John Ledkov (xnox) wrote :

$ git describe 24d7889eba3eb6ee2f37ed9d384aa8734ebad7b7
1.17.5-2-g24d7889

It looks like 1.17.5 was the last affected version.
Therefore Precise is the only currently affected release.
I believe cherry-picking above git commit into precise, should resolve this issue.

Changed in libguestfs (Ubuntu Precise):
status: New → Fix Released
status: Fix Released → Confirmed
Changed in libguestfs (Ubuntu Quantal):
status: New → Fix Released
Changed in libguestfs (Ubuntu Raring):
status: Triaged → Fix Released
Changed in libguestfs (Ubuntu Precise):
status: Confirmed → Triaged
Changed in libguestfs (Fedora):
importance: Unknown → Low
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.