Bug 945645 (CVE-2015-5247)

Summary: VUL-0: CVE-2015-5247: libvirt: nfs root squash problems
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cbosdonnat, jfehlig, jsegitz, smash_bz, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/156554/
Whiteboard: CVSSv2:RedHat:CVE-2015-5247:1.7:(AV:L/AC:L/Au:S/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-09-14 09:17:22 UTC
CVE-2015-5247

http://libvirt.org/git/?p=libvirt.git;a=tag;h=6c03786285a507be7d93fa6b2786fad161066954
http://libvirt.org/git/?p=libvirt.git;a=tag;h=f99b6ddb92b19ba122d112b358199cab144e0d86
http://libvirt.org/git/?p=libvirt.git;a=tag;h=40c5e56f9de6be8c11ffeeecb007f93ed3a137de
https://bugzilla.redhat.com/show_bug.cgi?id=1259350


 Commit id '155ca616' added the 'refreshVol' API. In an NFS root-squash
environment it was possible that if the just created volume from XML wasn't
properly created with the right uid/gid and/or mode, then the followup
refreshVol will fail to open the volume in order to get the allocation/
capacity values. This would leave the volume still on the server and
cause a libvirtd crash because 'voldef' would be in the pool list, but
the cleanup code would free it.

 virfile: Introduce virFileUnlink

In an NFS root-squashed environment the 'vol-delete' command will fail to
'unlink' the target volume since it was created under a different uid:gid.

This code continues the concepts introduced in virFileOpenForked and
virDirCreate[NoFork] with respect to running the unlink command under
the uid/gid of the child. Unlike the other two, don't retry on EACCES
(that's why we're here doing this now).
Comment 1 Cédric Bosdonnat 2015-09-14 09:27:55 UTC
Working on it
Comment 5 Bernhard Wiedemann 2015-09-14 10:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (945645) was mentioned in
https://build.opensuse.org/request/show/330866 Factory / libvirt
Comment 6 James Fehlig 2015-09-15 00:51:00 UTC
Affects libvirt 1.2.14 through 1.2.19.  For SUSE products that means Factory, SLE12 SP1, and Leap. Cedric has already taken care of the first two.
Comment 7 Bernhard Wiedemann 2015-09-15 09:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (945645) was mentioned in
https://build.opensuse.org/request/show/331002 Leap:42.1 / libvirt
Comment 8 Bernhard Wiedemann 2015-09-15 18:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (945645) was mentioned in
https://build.opensuse.org/request/show/331092 Leap:42.1 / libvirt
https://build.opensuse.org/request/show/331093 Factory / libvirt
Comment 9 Bernhard Wiedemann 2015-09-17 21:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (945645) was mentioned in
https://build.opensuse.org/request/show/331842 Leap:42.1 / libvirt
Comment 10 Cédric Bosdonnat 2015-10-05 18:26:27 UTC
Changes have now landed in all impacted distros
Comment 11 Marcus Meissner 2015-10-07 06:32:23 UTC
reopen and reassign to security-team for tracking
Comment 12 Swamp Workflow Management 2015-10-07 21:59:56 UTC
bugbot adjusting priority
Comment 13 Johannes Segitz 2017-08-10 14:36:59 UTC
fixed