First Last Prev Next    This bug is not in your last search results.
Bug 766559 - VUL-1: libvirt: address bus=device= when identicle vendor ID/product IDs usb devices attached are ignored
VUL-1: libvirt: address bus=device= when identicle vendor ID/product IDs usb ...
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Linux
: P4 - Low : Minor
: ---
Assigned To: James Fehlig
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-12 10:00 UTC by Ludwig Nussel
Modified: 2017-09-20 06:38 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-06-12 10:00:39 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2012-2693

------------------------------------------------------------------------------
Date: Mon, 11 Jun 2012 18:29:45 +0200
From: Petr Matousek <pmatouse@redhat.com>
Subject: [oss-security] CVE request -- libvirt: address bus= device= when identicle vendor
 ID/product IDs usb devices attached are ignored

Description of the problem:
libvirt ignores address bus= device= when identicle vendor
ID/product IDs usb devices attached with either virsh or virt-manager.

As a consequence, wrong USB device can be assigned to the wrong guest.

References and proposed upstream patch:
https://www.redhat.com/archives/libvir-list/2012-April/msg01494.html

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
Comment 1 James Fehlig 2012-06-12 14:36:32 UTC 
Related RH bugs

https://bugzilla.redhat.com/show_bug.cgi?id=815755
https://bugzilla.redhat.com/show_bug.cgi?id=831164

I don't have access to 815755, which might have some clues about affected libvirt versions.  Ludwig, assuming RH has already determined which version are affected, is it possible they might share this information?

Initial USB passthrough for qemu/kvm was added in libvirt 0.4.5!  But this code has changed significantly over the years and it is not obvious which versions might be affected without considerable investigation.  I'm happy to do this if needed, but hoping to save some time.  Thanks.
Comment 2 James Fehlig 2012-06-12 14:41:11 UTC 
I'll start backporting the patches to known affected versions that we are using

libvirt 0.9.11 in 12.2/Factory
libvirt 0.9.6 in 12.1/sles11sp2

Forgot needinfo to Ludwig for my question in #1...
Comment 3 Swamp Workflow Management 2012-06-12 22:00:09 UTC 
bugbot adjusting priority
Comment 5 James Fehlig 2012-06-13 17:20:01 UTC 
There is very little info in rhb#831164, just a pointer to the first version of the upstream patchset.  I was hoping to find which versions of libvirt are affected.

There are several other bugs referenced in rhb#831164, but they are all non-public.
Comment 6 Bernhard Wiedemann 2012-07-10 17:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (766559) was mentioned in
https://build.opensuse.org/request/show/127535 Factory / libvirt
Comment 7 Marcus Meissner 2012-11-02 12:59:26 UTC 
did we release this Jim?

its a bit unclear
Comment 8 James Fehlig 2012-11-02 15:22:40 UTC 
I've fixed this bug in Factory and 12.2.  The latter was released about a week ago via maintenancereq #138011.

I haven't had time to fix it 12.1/sles11sp2, which has an older libvirt where the upstream patches do not apply cleanly.
Comment 9 Leonardo Chiquitto 2013-05-23 21:06:50 UTC 
Jim, could you confirm whether this bug is fixed on 11-SP3's version of libvirt? Thanks.
Comment 10 James Fehlig 2013-05-27 16:08:55 UTC 
Yes, it is fixed in SP3, which has the latest release of libvirt.
Comment 13 Alexander Bergmann 2013-09-20 16:16:46 UTC 
Closing as fixed.
First Last Prev Next    This bug is not in your last search results.