Bug 953110 – VUL-1: CVE-2015-5313: libvirtd: Directory traversal

Bug 953110 - (CVE-2015-5313) VUL-1: CVE-2015-5313: libvirtd: Directory traversal

(CVE-2015-5313)
Summary:	VUL-1: CVE-2015-5313: libvirtd: Directory traversal

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2015-5313:4.0:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-11-02 09:10 UTC by Sebastian Krahmer
Modified:	2016-07-05 14:59 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Sebastian Krahmer 2015-11-02 12:55:12 UTC

CVE-2015-5313

Comment 9 Marcus Meissner 2015-12-17 12:51:27 UTC

became public, e.g. via:

http://www.spinics.net/linux/fedora/libvir/msg121966.html

Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names
From: Eric Blake <eblake@xxxxxxxxxx>
Date: Fri, 11 Dec 2015 16:38:30 -0700

The libvirt file system storage driver determines what file to
act on by concatenating the pool location with the volume name.
If a user is able to pick names like "../../../etc/passwd", then
they can escape the bounds of the pool. For that matter,
virStoragePoolListVolumes() doesn't descend into subdirectories,
so a user really shouldn't use a name with a slash.

Normally, only privileged users can coerce libvirt into creating
or opening existing files using the virStorageVol APIs; and such
users already have full privilege to create any domain XML (so it
is not an escalation of privilege). But in the case of
fine-grained ACLs, it is feasible that a user can be granted
storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files
outside of the storage pool.

Therefore, prevent all use of volume names that contain "/",
whether or not such a name is actually attempting to escape the
pool.

This changes things from:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
Vol ../../../../../../etc/haha created
$ rm /etc/haha

to:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
error: Failed to create vol ../../../../../../etc/haha
error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'

Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
---

This has been reviewed on the libvirt security list, where it
was assigned a CVE. Fortunately, this could only be used for
an escalation of privileges under fine-grained ACLs (which is
not an out-of-the-box config).

I will go ahead and push this to master as well as all the
active maint branches back to the introduction of ACLs.

...

Comment 10 Cédric Bosdonnat 2015-12-17 15:24:39 UTC

taking it

Comment 11 James Fehlig 2015-12-18 22:46:47 UTC

FYI, I've added eblake's fix to the libvirt 1.3.0 package I just submitted to Virtualization project. Forwarding the submission to Factory/Tumbleweed is pending some upgrade testing.

Comment 12 James Fehlig 2016-01-04 14:28:06 UTC

Over the holidays, I updated our SLE12 SP1 and Leap devel projects with the libvirt 1.2.18.2 stable maintenance release which includes the fix.

Comment 13 Cédric Bosdonnat 2016-01-05 09:52:22 UTC

The patch is now in the devel projects for SLES 11 SP4, openSUSE 13.2 and openSUSE 13.1 as well. Next maintenance updates will include them.

Comment 14 Bernhard Wiedemann 2016-01-14 18:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (953110) was mentioned in
https://build.opensuse.org/request/show/353737 13.1 / libvirt

Comment 15 Andreas Stieger 2016-01-14 21:54:44 UTC

James, the package fails to build in openSUSE:Maintenance:4529/libvirt.openSUSE_13.2_Update with message "qemu-img is too old; skipping this test" Please submit one or more of the required packages in Virtualization:openSUSE13.2/libvirt or point out which change is required for this update to go ahead.

Comment 16 James Fehlig 2016-01-15 01:00:08 UTC

(In reply to Andreas Stieger from comment #15)
> James, the package fails to build in
> openSUSE:Maintenance:4529/libvirt.openSUSE_13.2_Update with message
> "qemu-img is too old; skipping this test"

The failing test was actually disk-drive-network-gluster. I disabled that test (we don't build libvirt with gluster support anyhow) and submitted another request, MR#353772.

Comment 17 Andreas Stieger 2016-01-15 09:29:52 UTC

(In reply to James Fehlig from comment #16)
> (In reply to Andreas Stieger from comment #15)
> > James, the package fails to build in
> > openSUSE:Maintenance:4529/libvirt.openSUSE_13.2_Update with message
> > "qemu-img is too old; skipping this test"
> 
> The failing test was actually disk-drive-network-gluster. I disabled that
> test (we don't build libvirt with gluster support anyhow) and submitted
> another request, MR#353772.

Looks good, thanks.

Comment 18 Swamp Workflow Management 2016-01-24 14:11:12 UTC

openSUSE-SU-2016:0209-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 953110
CVE References: CVE-2015-5313
Sources used:
openSUSE Leap 42.1 (src):    libvirt-1.2.18.2-5.1
openSUSE 13.2 (src):    libvirt-1.2.9-28.1

Comment 19 Swamp Workflow Management 2016-01-24 18:12:27 UTC

openSUSE-SU-2016:0216-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 863933,875216,953110
CVE References: CVE-2015-5313
Sources used:
openSUSE 13.1 (src):    libvirt-1.1.2-2.51.1

Comment 20 Swamp Workflow Management 2016-02-01 19:15:09 UTC

SUSE-SU-2016:0304-1: An update that solves two vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 899334,903757,904432,911737,914297,914693,921355,921555,921586,936524,938228,948516,948686,953110
CVE References: CVE-2015-0236,CVE-2015-5313
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    libvirt-1.2.5-27.10.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libvirt-1.2.5-27.10.1
SUSE Linux Enterprise Server for SAP 12 (src):    libvirt-1.2.5-27.10.1
SUSE Linux Enterprise Server 12 (src):    libvirt-1.2.5-27.10.1
SUSE Linux Enterprise Desktop 12 (src):    libvirt-1.2.5-27.10.1

Comment 21 Swamp Workflow Management 2016-03-31 16:08:29 UTC

SUSE-SU-2016:0923-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 952849,953110,954872,960305,964465
CVE References: CVE-2015-5313
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    libvirt-1.2.18.2-8.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libvirt-1.2.18.2-8.1
SUSE Linux Enterprise Server 12-SP1 (src):    libvirt-1.2.18.2-8.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libvirt-1.2.18.2-8.1

Comment 22 Swamp Workflow Management 2016-04-01 12:08:10 UTC

SUSE-SU-2016:0931-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 948516,948686,953110,959094,960305,961173
CVE References: CVE-2015-5313
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libvirt-1.2.5-12.3
SUSE Linux Enterprise Server 11-SP4 (src):    libvirt-1.2.5-12.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    libvirt-1.2.5-12.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvirt-1.2.5-12.3

Comment 23 Cédric Bosdonnat 2016-07-05 14:50:38 UTC

Sebastian, is there any reason for this one to stay opened? Is there still something you expect from me?

Comment 24 Andreas Stieger 2016-07-05 14:59:51 UTC

All done