libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm (CVE-2013-1766)

Debian Bug report logs - #701649
libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm (CVE-2013-1766)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm

Date: Mon, 25 Feb 2013 18:57:50 +0100

Package: libvirt-bin
Version: 1.0.2-2
Severity: critical
Tags: security

libvirtd changes the permissions of lvm devices it assigns to guests to
libvirt-qemu:kvm. kvm is a general group and not restricted to libvirt.
The allows other users write access to this devices.

I'm right now unsure if the Wheezy version is affected.

| brw-rw---T 1 libvirt-qemu kvm  254, 11 Feb 25 17:08 /dev/dm-11
| brw-rw---T 1 libvirt-qemu kvm  254, 12 Feb 25 17:50 /dev/dm-12

Bastian

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Bastian Blank <waldi@debian.org>, 701649@bugs.debian.org

Subject: Re: [Pkg-libvirt-maintainers] Bug#701649: libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm

Date: Tue, 26 Feb 2013 05:52:25 +0100

On Mon, Feb 25, 2013 at 06:57:50PM +0100, Bastian Blank wrote:
> Package: libvirt-bin
> Version: 1.0.2-2
> Severity: critical
> Tags: security
> 
> libvirtd changes the permissions of lvm devices it assigns to guests to
> libvirt-qemu:kvm. kvm is a general group and not restricted to libvirt.
> The allows other users write access to this devices.

This is configuratble via the group option in /etc/libvirt/qemu.conf. I
do think that kvm is a reasonable choice since kvm isn't a general
purpose group but one reserved for processes running kvm instances.

However I'm open for discussion to switch this to libvirt-qemu as well.
(but leaving kvm as the libvirt-qemu user's primary group).
Cheers,
 -- Guido

> 
> I'm right now unsure if the Wheezy version is affected.
> 
> | brw-rw---T 1 libvirt-qemu kvm  254, 11 Feb 25 17:08 /dev/dm-11
> | brw-rw---T 1 libvirt-qemu kvm  254, 12 Feb 25 17:50 /dev/dm-12
> 
> Bastian
> 
> -- System Information:
> Debian Release: 7.0
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
> 

Message #15 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: 701649@bugs.debian.org

Subject: Re: Bug#701649: libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm

Date: Tue, 26 Feb 2013 07:40:19 +0100

This issue is CVE-2013-1766

Bastian

-- 
Vulcans worship peace above all.
		-- McCoy, "Return to Tomorrow", stardate 4768.3

Message #22 received at 701649-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 701649-close@bugs.debian.org

Subject: Bug#701649: fixed in libvirt 1.0.2-3

Date: Tue, 26 Feb 2013 10:32:50 +0000

Source: libvirt
Source-Version: 1.0.2-3

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Feb 2013 09:32:59 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt libvirt-sanlock
Architecture: source all i386
Version: 1.0.2-3
Distribution: experimental
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt-sanlock - library for interfacing with different virtualization systems
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 701649
Changes: 
 libvirt (1.0.2-3) experimental; urgency=low
 .
   * [6270001] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
     instances.  This makes sure we don't chown files to groups possibly used
     by other programs. (Closes: #701649)
Checksums-Sha1: 
 781c6c7d86350d8c6b77e8459a1c7c5adb05be45 2515 libvirt_1.0.2-3.dsc
 3179d4005688af0434763e6d3dac246dea170bb5 39677 libvirt_1.0.2-3.debian.tar.gz
 17e8373d67a9b5127915f6f61df41d22247125e6 2689284 libvirt-doc_1.0.2-3_all.deb
 c733276a1b881554c8c032c8900616b231bb108f 4765166 libvirt-bin_1.0.2-3_i386.deb
 521cfc1ff22937d78fa6d8f69b162f29a976844a 2534946 libvirt0_1.0.2-3_i386.deb
 466fad04a338a7ae90d8dc7ab9be9768538b79e4 10598744 libvirt0-dbg_1.0.2-3_i386.deb
 f3e81c922a37560b77a2265123a522918181affc 2915812 libvirt-dev_1.0.2-3_i386.deb
 fb8d86b727bab208d5c7defa1a42d897738aac17 1905800 python-libvirt_1.0.2-3_i386.deb
 db6ff09d48af0aee0f61aa34c14a6424d1318fed 1525492 libvirt-sanlock_1.0.2-3_i386.deb
Checksums-Sha256: 
 0c3b9741618c74dfae0b9fb584188e86dca1496c9e7badcd81f6471f823e1ed2 2515 libvirt_1.0.2-3.dsc
 59de53c3fa635331d5607350a9e072c216b420b7e191ea70be012a321b87bbf0 39677 libvirt_1.0.2-3.debian.tar.gz
 41e2ef9c1ecdf0551552cf1a32c07692758fa04c7a04bcfc012dd7277795d246 2689284 libvirt-doc_1.0.2-3_all.deb
 9d564cf5cd4dec75094c554d97820adccda300a6cda8b50b1d399632712e13d4 4765166 libvirt-bin_1.0.2-3_i386.deb
 2e6d42c5d50f44a325903903581747519acfcfb60eb208fd9032ad6dac900d2e 2534946 libvirt0_1.0.2-3_i386.deb
 b9096f4b36d14d7b21aeb8a528dac48e77aa3fb86bc32acc3fd61a2013774882 10598744 libvirt0-dbg_1.0.2-3_i386.deb
 194d334f266d985aa137d6b7ed67a80af2a124d5d44eed6407d1253526e2ed28 2915812 libvirt-dev_1.0.2-3_i386.deb
 b675ee6feef0273aa6a9d2789257a0eaffb05a262c94ebce5dc71e66e29b2f9f 1905800 python-libvirt_1.0.2-3_i386.deb
 9090e02c520ad87d639d7869494f191841c86d57e1a0f748d0d64ae2c946c290 1525492 libvirt-sanlock_1.0.2-3_i386.deb
Files: 
 809c42ff84193199f9679d792c8de1a7 2515 libs optional libvirt_1.0.2-3.dsc
 056900fcc59a8e5be0827bd7fb41b858 39677 libs optional libvirt_1.0.2-3.debian.tar.gz
 93e3c06e638f547e44365df2b4d1afdb 2689284 doc optional libvirt-doc_1.0.2-3_all.deb
 7e982b4a3448ee4a08da824ce4c43021 4765166 admin optional libvirt-bin_1.0.2-3_i386.deb
 867079f1fde247f4b3150905835f2546 2534946 libs optional libvirt0_1.0.2-3_i386.deb
 bff770e7b272022a704c7c3f507e4de8 10598744 debug extra libvirt0-dbg_1.0.2-3_i386.deb
 db11eecb58467eab03c743379764d211 2915812 libdevel optional libvirt-dev_1.0.2-3_i386.deb
 dd769bd600a82782a6f91c09cc028eea 1905800 python optional python-libvirt_1.0.2-3_i386.deb
 34b64ec541afe7ffa5c4b3f775bcca05 1525492 libs extra libvirt-sanlock_1.0.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRLHskn88szT8+ZCYRAshiAKCCDJKykvM37rFpHcrpKVQhTY5qRgCfTO7U
UJmwSM2V830o3d+tdfMBJsw=
=Do7x
-----END PGP SIGNATURE-----

Message #27 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 701649@bugs.debian.org

Subject: Affected versions

Date: Tue, 26 Feb 2013 11:44:28 +0100

[Message part 1 (text/plain, inline)]

This also affects stable, bpo and wheezzy. The attached fix that I
applied to the version in experimental applies to 0.9.12 as well.

However I won't have a chance to test the wheezy version in a reasonable
setup (bridged network, lvm, kvm) for the next days/weeks so I'm not
uploading a new version for wheezy yet. 

If somebody else could pick that up it'd be great. Note that this is not
remote and only affects users/processes in the kvm group.
Cheers,
 -- Guido

[0001-CVE-2013-1766-Use-libvirt-qemu-as-group-to-run-qemu-.patch (text/x-diff, attachment)]

Message #32 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 701649@bugs.debian.org

Subject: Re: Bug#701649: Affected versions

Date: Tue, 26 Feb 2013 20:57:09 +0100

Control: found -1 0.8.3-5+squeeze2
Control: found -1 0.9.12-6
Control: found -1 0.9.12-7

Hi Guido

On Tue, Feb 26, 2013 at 11:44:28AM +0100, Guido Günther wrote:
> This also affects stable, bpo and wheezzy. The attached fix that I
> applied to the version in experimental applies to 0.9.12 as well.

Only marking the versions accordingly in this bug.

Regards,
Salvatore

Message #43 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: 701649@bugs.debian.org

Subject: libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm (CVE-2013-1766)

Date: Thu, 28 Feb 2013 22:48:22 -0800

Figured I'd add that it's not limited to devices- it can change the permissions
of arbitrary files, such as /boot/vmlinuz-*, if that matters.

live well,
  vagrant

Message #48 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: 701649@bugs.debian.org

Subject: Re: [Pkg-libvirt-maintainers] Bug#701649: libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm

Date: Sat, 2 Mar 2013 09:58:20 +0100

On Tue, Feb 26, 2013 at 05:52:25AM +0100, Guido Günther wrote:
> This is configuratble via the group option in /etc/libvirt/qemu.conf. I
> do think that kvm is a reasonable choice since kvm isn't a general
> purpose group but one reserved for processes running kvm instances.

kvm is general purpose group for access to /dev/kvm. It always have
been. If not, please bring this up with the kvm/udev/kernel maintainers.

> However I'm open for discussion to switch this to libvirt-qemu as well.
> (but leaving kvm as the libvirt-qemu user's primary group).

Change the devices to group "disk". The CTTE ruled some years ago that
"disk" must be the default group of all disk devices.

Bastian

-- 
The man on tops walks a lonely street; the "chain" of command is often a noose.

Message #63 received at 701649-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 701649-close@bugs.debian.org

Subject: Bug#701649: fixed in libvirt 0.9.12-8

Date: Mon, 04 Mar 2013 18:02:42 +0000

Source: libvirt
Source-Version: 0.9.12-8

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Mar 2013 16:58:19 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12-8
Distribution: unstable
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 701649
Changes: 
 libvirt (0.9.12-8) unstable; urgency=low
 .
   * [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
     instances.  This makes sure we don't chown files to groups possibly used
     by other programs. (Closes: #701649)
   * [0ef17cc] Enable systemd services
Checksums-Sha1: 
 d5d0fe06d74e45e36480dd48244b2322506deb18 2276 libvirt_0.9.12-8.dsc
 3115100b9594e9e4fca616439593002ba040389c 49067 libvirt_0.9.12-8.debian.tar.gz
 83a85604f4d78d420b6c07eeb1f81e4e5cbe8f96 2174384 libvirt-doc_0.9.12-8_all.deb
 c62a61f840d036b53f3e1397f62eb4a61e064d05 2334504 libvirt-bin_0.9.12-8_i386.deb
 355e2ca6ff1e79359e4c2a237665c56f12070519 2122194 libvirt0_0.9.12-8_i386.deb
 7ab90c862608d278c491f92342198126009bf622 7471286 libvirt0-dbg_0.9.12-8_i386.deb
 2800da4ad16e8d4805b0025c9aa744bb8860e1b6 2503928 libvirt-dev_0.9.12-8_i386.deb
 2d2b5d2f0780dccc97a9ad16f47c88b1243035cc 1420672 python-libvirt_0.9.12-8_i386.deb
Checksums-Sha256: 
 ee8fde57035ebac6df71e443fbacc51911e891a05403cdaa6328ac724b8fa2e4 2276 libvirt_0.9.12-8.dsc
 88d59c2b6dfb0492419823f521ae729351c1089b2e69795837eee15fe921bdf9 49067 libvirt_0.9.12-8.debian.tar.gz
 fe7caec05310d2b70111a4d639dc4bdb0f7f6af57b815659a315f363af054ec0 2174384 libvirt-doc_0.9.12-8_all.deb
 c271187eb1865f17176dfdc7afec669d243d05a4493d5b768f81cb061e1794eb 2334504 libvirt-bin_0.9.12-8_i386.deb
 945e26b16d3f7b66323316e1238a1f94f09006d0500e831e683682fa18dead8e 2122194 libvirt0_0.9.12-8_i386.deb
 7d0bcf85e5d61d3df83e0543e39a628f1f96f2c8b2ff3d2f610389ad3e5b4000 7471286 libvirt0-dbg_0.9.12-8_i386.deb
 80aea142bda34254db89512f6d205af0805137633b80bcab7140c962b1f5ec5d 2503928 libvirt-dev_0.9.12-8_i386.deb
 fcca4d4f02fa12e25241b6b554de8e017c897f50ff3537f1d92c13a45c11666b 1420672 python-libvirt_0.9.12-8_i386.deb
Files: 
 c9b318c258fbdfe94c414f6d6be16ddb 2276 libs optional libvirt_0.9.12-8.dsc
 fa14f79b190286a6144f276b0db0a218 49067 libs optional libvirt_0.9.12-8.debian.tar.gz
 ec4008f10f0787de054bfc42309f4732 2174384 doc optional libvirt-doc_0.9.12-8_all.deb
 fbbb23c4ca2e6ec97144f7b9ae667446 2334504 admin optional libvirt-bin_0.9.12-8_i386.deb
 fa2ef16d15df7df68141188f37b0c6c4 2122194 libs optional libvirt0_0.9.12-8_i386.deb
 2a13db024b31f23cb95c2af0aa1dafcc 7471286 debug extra libvirt0-dbg_0.9.12-8_i386.deb
 8c7e0958d67c3af46a728631bdb2dc72 2503928 libdevel optional libvirt-dev_0.9.12-8_i386.deb
 a5f867b4ed3b827d546334458e06b662 1420672 python optional python-libvirt_0.9.12-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRNNsUn88szT8+ZCYRAvddAJ0Ta+Ms9ABWnnDWVuUt6CGr5+QkaQCdGSPj
pv1jolf8HrFaqlLHZEMZgCg=
=R+Na
-----END PGP SIGNATURE-----

Message #68 received at 701649@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Guido Günther <agx@sigxcpu.org>

Cc: 701649@bugs.debian.org

Subject: Re: Bug#701649: fixed in libvirt 0.9.12-8

Date: Tue, 05 Mar 2013 20:48:03 +0000

On Mon, 2013-03-04 at 18:02 +0000, Guido Günther wrote:
>  libvirt (0.9.12-8) unstable; urgency=low
>  .
>    * [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
>      instances.  This makes sure we don't chown files to groups possibly used
>      by other programs. (Closes: #701649)

I was looking at this with a view to unblocking it, but think there
might have been a small copy-n-waste error in the postrm changes;
specifically:

@@ -25,6 +25,14 @@
                delgroup libvirt || true
        fi
 
+       if getent user libvirt-qemu >/dev/null; then

"getent user" should be "getent passwd".

+               deluser libvirt || true

Presumably this should be "libvirt-qemu".

+       fi
+
+       if getent group libvirt-qemu >/dev/null; then
+               delgroup libvirt || true

Again, should be libvirt-qemu.

As a side note, the debian/libvirt-bin.NEWS entry for the unstable
upload should really reference 0.9.12-8 rather than 1.0.2-3.

Regards,

Adam

Message #73 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 701649@bugs.debian.org

Subject: Re: Bug#701649: fixed in libvirt 0.9.12-8

Date: Wed, 6 Mar 2013 10:13:29 +0100

On Tue, Mar 05, 2013 at 08:48:03PM +0000, Adam D. Barratt wrote:
> On Mon, 2013-03-04 at 18:02 +0000, Guido Günther wrote:
> >  libvirt (0.9.12-8) unstable; urgency=low
> >  .
> >    * [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
> >      instances.  This makes sure we don't chown files to groups possibly used
> >      by other programs. (Closes: #701649)
> 
> I was looking at this with a view to unblocking it, but think there
> might have been a small copy-n-waste error in the postrm changes;
> specifically:
> 
> @@ -25,6 +25,14 @@
>                 delgroup libvirt || true
>         fi
>  
> +       if getent user libvirt-qemu >/dev/null; then
> 
> "getent user" should be "getent passwd".
> 
> +               deluser libvirt || true
> 
> Presumably this should be "libvirt-qemu".
> 
> +       fi
> +
> +       if getent group libvirt-qemu >/dev/null; then
> +               delgroup libvirt || true
> 
> Again, should be libvirt-qemu.
> 
> As a side note, the debian/libvirt-bin.NEWS entry for the unstable
> upload should really reference 0.9.12-8 rather than 1.0.2-3.

Sorry for being sloppy and thanks for your review. I just uploaded a new
version.
Cheers,
 -- Guido

Message #78 received at 701649@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Guido Günther <agx@sigxcpu.org>, <701649@bugs.debian.org>

Subject: Re: Bug#701649: fixed in libvirt 0.9.12-8

Date: Wed, 06 Mar 2013 11:07:46 +0000

On 06.03.2013 09:13, Guido Günther wrote:
> On Tue, Mar 05, 2013 at 08:48:03PM +0000, Adam D. Barratt wrote:
>> On Mon, 2013-03-04 at 18:02 +0000, Guido Günther wrote:
>> >  libvirt (0.9.12-8) unstable; urgency=low
>> >  .
>> >    * [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run 
>> qemu/kvm
>> >      instances.  This makes sure we don't chown files to groups 
>> possibly used
>> >      by other programs. (Closes: #701649)
>>
>> I was looking at this with a view to unblocking it, but think there
>> might have been a small copy-n-waste error in the postrm changes;
>> specifically:
>>
>> @@ -25,6 +25,14 @@
>>                 delgroup libvirt || true
>>         fi
>>
>> +       if getent user libvirt-qemu >/dev/null; then
>>
>> "getent user" should be "getent passwd".
[...]
> Sorry for being sloppy and thanks for your review. I just uploaded a 
> new
> version.

Thanks for the quick turn-around. Unfortunately the "getent user" call 
above doesn't appear to be fixed in -9.

Regards,

Adam

Message #83 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 701649@bugs.debian.org

Subject: Re: Bug#701649: fixed in libvirt 0.9.12-8

Date: Wed, 6 Mar 2013 14:09:02 +0100

On Wed, Mar 06, 2013 at 11:07:46AM +0000, Adam D. Barratt wrote:
> On 06.03.2013 09:13, Guido Günther wrote:
> >On Tue, Mar 05, 2013 at 08:48:03PM +0000, Adam D. Barratt wrote:
> >>On Mon, 2013-03-04 at 18:02 +0000, Guido Günther wrote:
> >>>  libvirt (0.9.12-8) unstable; urgency=low
> >>>  .
> >>>    * [181eab1] CVE-2013-1766: Use libvirt-qemu as group to run
> >>qemu/kvm
> >>>      instances.  This makes sure we don't chown files to
> >>groups possibly used
> >>>      by other programs. (Closes: #701649)
> >>
> >>I was looking at this with a view to unblocking it, but think there
> >>might have been a small copy-n-waste error in the postrm changes;
> >>specifically:
> >>
> >>@@ -25,6 +25,14 @@
> >>                delgroup libvirt || true
> >>        fi
> >>
> >>+       if getent user libvirt-qemu >/dev/null; then
> >>
> >>"getent user" should be "getent passwd".
> [...]
> >Sorry for being sloppy and thanks for your review. I just uploaded
> >a new
> >version.
> 
> Thanks for the quick turn-around. Unfortunately the "getent user"
> call above doesn't appear to be fixed in -9.
Another proof that there's just not enough time to work on Debian these
days. I shouldn't do this. Hopefully fixed now.
Cheers,
 -- Guido

Message #88 received at 701649@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Guido Günther <agx@sigxcpu.org>

Cc: <701649@bugs.debian.org>

Subject: Re: Bug#701649: fixed in libvirt 0.9.12-8

Date: Wed, 06 Mar 2013 13:28:12 +0000

On 06.03.2013 13:09, Guido Günther wrote:
> On Wed, Mar 06, 2013 at 11:07:46AM +0000, Adam D. Barratt wrote:
>> Thanks for the quick turn-around. Unfortunately the "getent user"
>> call above doesn't appear to be fixed in -9.
> Another proof that there's just not enough time to work on Debian 
> these
> days.

I recognise that sentiment. :-(

> I shouldn't do this. Hopefully fixed now.

Yep, thanks; I've unblocked -11.

Regards,

Adam

Message #93 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 701649@bugs.debian.org

Cc: team@security.debian.org

Subject: Fix for stable

Date: Sat, 9 Mar 2013 19:54:42 +0100

[Message part 1 (text/plain, inline)]

Hi,
sorry for the delay but attached is the diff for the stable update. This
addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
CVE-2013-0170). Is this enough for the security team to issue the DSA?
Let me know if I can help further.
Cheers,
 -- Guido

[diff-to-0.8.3-5+squeeze2 (text/plain, attachment)]

🔗 View this message in rfc822 format

From: Guido Günther <agx@sigxcpu.org>

To: team@security.debian.org

Cc: 701649@bugs.debian.org

Subject: Bug#701649: Fix for stable

Date: Fri, 15 Mar 2013 01:31:23 +0100

Hi,
On Sat, Mar 09, 2013 at 07:54:42PM +0100, Guido Günther wrote:
> Hi,
> sorry for the delay but attached is the diff for the stable update. This
> addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> CVE-2013-0170). Is this enough for the security team to issue the DSA?
> Let me know if I can help further.
Is this on the security teams DSA list or is the impact low enough that
we can schedule this for the next stable release?
Cheers,
 -- Guido

Message #104 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 701649@bugs.debian.org, team@security.debian.org

Subject: Re: Fix for stable

Date: Fri, 15 Mar 2013 10:30:08 +0100

On Fri, Mar 15, 2013 at 10:17:29AM +0100, Guido Günther wrote:
> On Fri, Mar 15, 2013 at 08:15:15AM +0100, Yves-Alexis Perez wrote:
> > On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> > > Hi,
> > > sorry for the delay but attached is the diff for the stable update.
> > > This
> > > addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> > > CVE-2013-0170). Is this enough for the security team to issue the DSA?
> > > Let me know if I can help further.
> > 
> > Just a comment. Does the package still need to create/remove the kvm
> > group? Shouldn't only the kvm package do that?
> 
> I think so. We need to put the user in that group to access /dev/kvm.
> We could use a trigger but that would certainly be more fragile.
> 
> > What about the permissions on devices (there's something abou tit on the
> > bug report)?
> 
> Devices will be changed to libvirt-qemu:libvirt-qemu when accessed to
> make sure the process has the necessary permission.

Permissions of disks are currently set to 0600.
 -- Guido

> Cheers,
>  -- Guido

Message #109 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: 701649@bugs.debian.org, team@security.debian.org

Subject: Re: Fix for stable

Date: Fri, 15 Mar 2013 13:05:40 +0100

[Message part 1 (text/plain, inline)]

On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> Hi,
> sorry for the delay but attached is the diff for the stable update.
> This
> addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> CVE-2013-0170). Is this enough for the security team to issue the DSA?
> Let me know if I can help further.

Allright, please upload to security-master, I'll try to prepare and
issue a DSA.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #114 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: 701649@bugs.debian.org, team@security.debian.org

Subject: Re: Fix for stable

Date: Fri, 15 Mar 2013 08:15:15 +0100

[Message part 1 (text/plain, inline)]

On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> Hi,
> sorry for the delay but attached is the diff for the stable update.
> This
> addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> CVE-2013-0170). Is this enough for the security team to issue the DSA?
> Let me know if I can help further.

Just a comment. Does the package still need to create/remove the kvm
group? Shouldn't only the kvm package do that?

What about the permissions on devices (there's something abou tit on the
bug report)?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #119 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: 701649@bugs.debian.org, team@security.debian.org

Subject: Re: Fix for stable

Date: Fri, 15 Mar 2013 10:40:12 +0100

[Message part 1 (text/plain, inline)]

On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> Hi,
> sorry for the delay but attached is the diff for the stable update. This
> addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> CVE-2013-0170). Is this enough for the security team to issue the DSA?
> Let me know if I can help further.
> Cheers,
>  -- Guido

Ok, I have two more questions:

- what is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649#43
really about? Does libvirt changes permissions on files added to the
storage pool or something?
- in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649#48 waldi
seems to prefer the disks group, but I don't think any other comment
replying to that. Could you elaborate about this?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #124 received at 701649@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 701649@bugs.debian.org, team@security.debian.org

Subject: Re: Fix for stable

Date: Fri, 15 Mar 2013 10:52:04 +0100

On Fri, Mar 15, 2013 at 10:40:12AM +0100, Yves-Alexis Perez wrote:
> On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> > Hi,
> > sorry for the delay but attached is the diff for the stable update. This
> > addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> > CVE-2013-0170). Is this enough for the security team to issue the DSA?
> > Let me know if I can help further.
> > Cheers,
> >  -- Guido
> 
> Ok, I have two more questions:
> 
> - what is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649#43
> really about? Does libvirt changes permissions on files added to the
> storage pool or something?

When using qemu:///system (that is running qemu via the system libvirtd
instead of the user's session libvirtd) and dynamic_ownership = 1 (the
default) libvirtd changes permissions of devices and files it needs to
open to libvirt-qemu:libvirt-qemu since it runs the qemu/kvm process
itself with these privileges. Before the change this used to be
libvirt-qemu:kvm.

> - in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649#48 waldi
> seems to prefer the disks group, but I don't think any other comment
> replying to that. Could you elaborate about this?

This is just not how dynamic ownership works. It consistently uses the
above for all devices accessed by the qemu process.
Cheers,
 -- Guido

> 
> Regards,
> -- 
> Yves-Alexis

Message #129 received at 701649-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 701649-close@bugs.debian.org

Subject: Bug#701649: fixed in libvirt 0.8.3-5+squeeze4

Date: Sun, 17 Mar 2013 11:02:46 +0000

Source: libvirt
Source-Version: 0.8.3-5+squeeze4

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Mar 2013 17:03:01 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.8.3-5+squeeze4
Distribution: stable-security
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - the programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 701649
Changes: 
 libvirt (0.8.3-5+squeeze4) stable-security; urgency=low
 .
   * [9d7846f] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
     instances.  This makes sure we don't chown files to groups possibly used
     by other programs. (Closes: #701649)
Checksums-Sha1: 
 e8ef92c5d05db518e1b6c71a3fa224519e9027f4 1910 libvirt_0.8.3-5+squeeze4.dsc
 43ef8845e0300b461c7dcd55dadf2f56111394b8 37556 libvirt_0.8.3-5+squeeze4.debian.tar.gz
 87f7af5fb204a6175d0db7ed321deb5359d25eb0 1123904 libvirt-doc_0.8.3-5+squeeze4_all.deb
 b2493341c5fe3666a21c14149d05dae399c07386 1023018 libvirt-bin_0.8.3-5+squeeze4_i386.deb
 a925e240f196e30d440f782b349acfa205331451 955254 libvirt0_0.8.3-5+squeeze4_i386.deb
 9c76ee5a08ee5d72e972acdee695ace98d74338d 3049776 libvirt0-dbg_0.8.3-5+squeeze4_i386.deb
 91b70c9abf07ec743d9e3b93947e01459a2dd2a0 1177068 libvirt-dev_0.8.3-5+squeeze4_i386.deb
 a9335d7c675c92a60bd1f0d3c71fca5562851ddc 440196 python-libvirt_0.8.3-5+squeeze4_i386.deb
Checksums-Sha256: 
 173f3fd5d88da343894c280e8ed3271f145e8ccd5bbbaccf63d5670dd4b860d6 1910 libvirt_0.8.3-5+squeeze4.dsc
 fb5852b3ffa4e1d97de17d50c31cf880e7149c48396ebad933b098c9a131ac10 37556 libvirt_0.8.3-5+squeeze4.debian.tar.gz
 86b837cf2f1bb5799742f237807daecb67733d470e0dcb5dd80d764e52196946 1123904 libvirt-doc_0.8.3-5+squeeze4_all.deb
 b8894451c4f06746c010deaadd1df4a2dba673442388d48345942b683b29dad9 1023018 libvirt-bin_0.8.3-5+squeeze4_i386.deb
 7c5f42ffd49b1fabd1dabf0acba23519df13ee04da3f994c0c15aa0b8fad16c5 955254 libvirt0_0.8.3-5+squeeze4_i386.deb
 029acc4ef054605ea291dc89401bdc2a1565408646f78fb81178ced20de3fdff 3049776 libvirt0-dbg_0.8.3-5+squeeze4_i386.deb
 9ac65d0f962a231e16b9d7d32d125351cefb84afd7d730391b486a34a3e7748c 1177068 libvirt-dev_0.8.3-5+squeeze4_i386.deb
 269573cff75b1c6b8057eba921c6f3fdb165a31e207a0ff885eac43f5fbac751 440196 python-libvirt_0.8.3-5+squeeze4_i386.deb
Files: 
 83b4eb8528e557f271baedc6258fa9de 1910 libs optional libvirt_0.8.3-5+squeeze4.dsc
 39eaddaafcc8df19f3edcc2b5761f96f 37556 libs optional libvirt_0.8.3-5+squeeze4.debian.tar.gz
 4bee11c0a47daf8a1df11a7ad5634441 1123904 doc optional libvirt-doc_0.8.3-5+squeeze4_all.deb
 227c0b6255c0f3272e805e7805af6173 1023018 admin optional libvirt-bin_0.8.3-5+squeeze4_i386.deb
 a325d5148d2efc33c3bf25d9bdf130ef 955254 libs optional libvirt0_0.8.3-5+squeeze4_i386.deb
 a0bf161bb05833a2a2b1701494be83c6 3049776 debug extra libvirt0-dbg_0.8.3-5+squeeze4_i386.deb
 08ff59cf9f3df86789b180704d6dd01a 1177068 libdevel optional libvirt-dev_0.8.3-5+squeeze4_i386.deb
 ca661f802630c6b1493627ac8ef9060b 440196 python optional python-libvirt_0.8.3-5+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRQx7tn88szT8+ZCYRAiSFAJ4+o3p/61MxFc7cpowhfMsBmiSdxwCfeYY2
BLkH/UPZ9k18hRLrj4xLHik=
=CblW
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.