Bug 766559 - VUL-1: libvirt: address bus=device= when identicle vendor ID/product IDs usb devices attached are ignored
VUL-1: libvirt: address bus=device= when identicle vendor ID/product IDs usb ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Linux
: P4 - Low : Minor
: ---
Assigned To: James Fehlig
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2012-06-12 10:00 UTC by Ludwig Nussel
Modified: 2017-09-20 06:38 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-06-12 10:00:39 UTC
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.


Date: Mon, 11 Jun 2012 18:29:45 +0200
From: Petr Matousek <pmatouse@redhat.com>
Subject: [oss-security] CVE request -- libvirt: address bus= device= when identicle vendor
 ID/product IDs usb devices attached are ignored

Description of the problem:
libvirt ignores address bus= device= when identicle vendor
ID/product IDs usb devices attached with either virsh or virt-manager.

As a consequence, wrong USB device can be assigned to the wrong guest.

References and proposed upstream patch:

Petr Matousek / Red Hat Security Response Team
Comment 1 James Fehlig 2012-06-12 14:36:32 UTC
Related RH bugs


I don't have access to 815755, which might have some clues about affected libvirt versions.  Ludwig, assuming RH has already determined which version are affected, is it possible they might share this information?

Initial USB passthrough for qemu/kvm was added in libvirt 0.4.5!  But this code has changed significantly over the years and it is not obvious which versions might be affected without considerable investigation.  I'm happy to do this if needed, but hoping to save some time.  Thanks.
Comment 2 James Fehlig 2012-06-12 14:41:11 UTC
I'll start backporting the patches to known affected versions that we are using

libvirt 0.9.11 in 12.2/Factory
libvirt 0.9.6 in 12.1/sles11sp2

Forgot needinfo to Ludwig for my question in #1...
Comment 3 Swamp Workflow Management 2012-06-12 22:00:09 UTC
bugbot adjusting priority
Comment 5 James Fehlig 2012-06-13 17:20:01 UTC
There is very little info in rhb#831164, just a pointer to the first version of the upstream patchset.  I was hoping to find which versions of libvirt are affected.

There are several other bugs referenced in rhb#831164, but they are all non-public.
Comment 6 Bernhard Wiedemann 2012-07-10 17:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (766559) was mentioned in
https://build.opensuse.org/request/show/127535 Factory / libvirt
Comment 7 Marcus Meissner 2012-11-02 12:59:26 UTC
did we release this Jim?

its a bit unclear
Comment 8 James Fehlig 2012-11-02 15:22:40 UTC
I've fixed this bug in Factory and 12.2.  The latter was released about a week ago via maintenancereq #138011.

I haven't had time to fix it 12.1/sles11sp2, which has an older libvirt where the upstream patches do not apply cleanly.
Comment 9 Leonardo Chiquitto 2013-05-23 21:06:50 UTC
Jim, could you confirm whether this bug is fixed on 11-SP3's version of libvirt? Thanks.
Comment 10 James Fehlig 2013-05-27 16:08:55 UTC
Yes, it is fixed in SP3, which has the latest release of libvirt.
Comment 13 Alexander Bergmann 2013-09-20 16:16:46 UTC
Closing as fixed.