Debian Bug report logs - #617773
libvirt: several API calls do not honour read-only connection

version graph

Package: libvirt; Maintainer for libvirt is Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Fri, 11 Mar 2011 09:51:01 UTC

Severity: normal

Tags: security

Fixed in versions libvirt/0.8.8-3, libvirt/0.8.3-5+squeeze1

Done: Guido Günther <agx@sigxcpu.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#617773; Package libvirt. (Fri, 11 Mar 2011 09:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>. (Fri, 11 Mar 2011 09:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: libvirt: several API calls do not honour read-only connection
Date: Fri, 11 Mar 2011 06:46:28 -0300
Package: libvirt
Tags: security

Hi,
"It has been found that several libvirt API calls (virNodeDeviceDettach,
virNodeDeviceReset, virDomainRevertToSnapshot, virDomainSnapshotDelete) did not
honour read-only connection. Remote attacker could use this flaw to crash the
host server (DoS)."

Please use CVE-2011-1146 as a reference to this problem. Can you confirm if this 
affects to oldstable or stable?

More info at
https://bugzilla.redhat.com/show_bug.cgi?id=683650

Thanks, luciano




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#617773; Package libvirt. (Sat, 12 Mar 2011 20:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>. (Sat, 12 Mar 2011 20:51:07 GMT) Full text and rfc822 format available.

Message #10 received at 617773@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: Luciano Bello <luciano@debian.org>, 617773@bugs.debian.org
Subject: Re: [Pkg-libvirt-maintainers] Bug#617773: libvirt: several API calls do not honour read-only connection
Date: Fri, 11 Mar 2011 22:59:00 +0100
On Fri, Mar 11, 2011 at 06:46:28AM -0300, Luciano Bello wrote:
> Package: libvirt
> Tags: security
> 
> Hi,
> "It has been found that several libvirt API calls (virNodeDeviceDettach,
> virNodeDeviceReset, virDomainRevertToSnapshot, virDomainSnapshotDelete) did not
> honour read-only connection. Remote attacker could use this flaw to crash the
> host server (DoS)."
>
> Please use CVE-2011-1146 as a reference to this problem. Can you confirm if this 
> affects to oldstable or stable?
> 
> More info at
> https://bugzilla.redhat.com/show_bug.cgi?id=683650

Stable has:

virNodeDeviceDettach
virNodeDeviceReset
virDomainRevertToSnapshot
virDomainSnapshotDelete

lacking checks for RO connections.

Oldstable has none of these functions since the APIs were added later.
Cheers,
 -- Guido




Reply sent to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility. (Mon, 14 Mar 2011 21:39:06 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Mon, 14 Mar 2011 21:39:06 GMT) Full text and rfc822 format available.

Message #15 received at 617773-close@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: 617773-close@bugs.debian.org
Subject: Bug#617773: fixed in libvirt 0.8.8-3
Date: Mon, 14 Mar 2011 21:37:41 +0000
Source: libvirt
Source-Version: 0.8.8-3

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive:

libvirt-bin_0.8.8-3_i386.deb
  to main/libv/libvirt/libvirt-bin_0.8.8-3_i386.deb
libvirt-dev_0.8.8-3_i386.deb
  to main/libv/libvirt/libvirt-dev_0.8.8-3_i386.deb
libvirt-doc_0.8.8-3_all.deb
  to main/libv/libvirt/libvirt-doc_0.8.8-3_all.deb
libvirt0-dbg_0.8.8-3_i386.deb
  to main/libv/libvirt/libvirt0-dbg_0.8.8-3_i386.deb
libvirt0_0.8.8-3_i386.deb
  to main/libv/libvirt/libvirt0_0.8.8-3_i386.deb
libvirt_0.8.8-3.debian.tar.gz
  to main/libv/libvirt/libvirt_0.8.8-3.debian.tar.gz
libvirt_0.8.8-3.dsc
  to main/libv/libvirt/libvirt_0.8.8-3.dsc
python-libvirt_0.8.8-3_i386.deb
  to main/libv/libvirt/python-libvirt_0.8.8-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 617773@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Mar 2011 20:06:57 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.8.8-3
Distribution: unstable
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - the programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 614210 617773
Changes: 
 libvirt (0.8.8-3) unstable; urgency=low
 .
   * [28df435] Don't create the rundir in the init script. The daemon does this
     now.
   * [7302aff] New patch Make-sure-the-rundir-is-accessible-by-the-user.patch.
     Make sure the rundir is accessible by the user (Closes: #614210)
   * [6dde59d] Recommend dmidecode used by the qemu driver
   * [235f893]  Add missing checks for read only connections.
     As pointed on CVE-2011-1146, some API forgot to check the read-only
     status of the connection for entry point which modify the state
     of the system or may lead to a remote execution using user data.
     The entry points concerned are:
       - virConnectDomainXMLToNative
       - virNodeDeviceDettach
       - virNodeDeviceReAttach
       - virNodeDeviceReset
       - virDomainRevertToSnapshot
       - virDomainSnapshotDelete
      src/libvirt.c: fix the above set of entry points to error on read-only
      connections (Closes: #617773)
Checksums-Sha1: 
 9201b3c73ebee3ad07a0bd1d0276afafa1d8fb3d 1874 libvirt_0.8.8-3.dsc
 7b7843181dd06ced8f6388b8e0fa378b0b79a8be 29942 libvirt_0.8.8-3.debian.tar.gz
 a37727e7dece4a455ce4763b134a4393a71d6325 1366942 libvirt-doc_0.8.8-3_all.deb
 913e3716e2e394ea3ca6d04de031207a24c419a7 1208742 libvirt-bin_0.8.8-3_i386.deb
 21e4fdbde89a20be1e1388b4d12b5e0a56ad616b 1229932 libvirt0_0.8.8-3_i386.deb
 1923bd44dc35f648440c3a43b1f06695e135a9c0 3792886 libvirt0-dbg_0.8.8-3_i386.deb
 c5349715b8c2a98abb06d27011e73f21b53c8c2a 1500362 libvirt-dev_0.8.8-3_i386.deb
 5090e9a411697219791340a50b70f4633841a0aa 584462 python-libvirt_0.8.8-3_i386.deb
Checksums-Sha256: 
 f9f31511926ea47ff876e03997d7eceb7b8a612ea1094a85b9ff5c6debb8aaa6 1874 libvirt_0.8.8-3.dsc
 936a36ddce8321056c716f31a7e39563e348491103f73ade94d5ccf048a17189 29942 libvirt_0.8.8-3.debian.tar.gz
 f8e7be8895351fbd597f7ed690e8dd73c6d576f334180a51a71e0e6dbcce1d6a 1366942 libvirt-doc_0.8.8-3_all.deb
 b2d2ce9bcdb97d49c2bd4229f081c0a7379e2e8959b4f3cf6e6aa2db8e2234d5 1208742 libvirt-bin_0.8.8-3_i386.deb
 4f7de634fcc5a32cf6c94770370a2eb4d40e5efb25d8c54476af8715fbbb14db 1229932 libvirt0_0.8.8-3_i386.deb
 72b78297ea02ef63f4a2696d2c79d5f0afcbdf2caf7ec98c0c1c00df0850b879 3792886 libvirt0-dbg_0.8.8-3_i386.deb
 9516907fa74614deaeefe3967078be650aef6f20c230d96e04f4f8a0e01271e8 1500362 libvirt-dev_0.8.8-3_i386.deb
 cca96a6596ffb43ae918e882a27aecf3a38bfe4a0ea8740c0117e9d8668ccc21 584462 python-libvirt_0.8.8-3_i386.deb
Files: 
 516043318458e76e2a7ae7cc05ce3531 1874 libs optional libvirt_0.8.8-3.dsc
 484f446bb6c3bd06da4f01df421a3929 29942 libs optional libvirt_0.8.8-3.debian.tar.gz
 3e68a355791f47f9ff5750861136419b 1366942 doc optional libvirt-doc_0.8.8-3_all.deb
 2399f3d0804da39a13ff2b9a2c8b3b67 1208742 admin optional libvirt-bin_0.8.8-3_i386.deb
 e0799933bc5b2b5a2a5f982bd9a164af 1229932 libs optional libvirt0_0.8.8-3_i386.deb
 6dbbf463ba693f97a069000845418c93 3792886 debug extra libvirt0-dbg_0.8.8-3_i386.deb
 22aa1d69b35c73aa5f6824a7b4ddba58 1500362 libdevel optional libvirt-dev_0.8.8-3_i386.deb
 69890cd625ae5ae38e6675b18d84e3d3 584462 python optional python-libvirt_0.8.8-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNfnngn88szT8+ZCYRAjDJAJ9hUFI+36/E02EoTPUEEPgb5xyxDQCfQDdO
IVU8Z3U/iiBIqtIj6J9hB5w=
=1zJI
-----END PGP SIGNATURE-----





Reply sent to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility. (Wed, 23 Mar 2011 09:45:10 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 23 Mar 2011 09:45:10 GMT) Full text and rfc822 format available.

Message #20 received at 617773-close@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: 617773-close@bugs.debian.org
Subject: Bug#617773: fixed in libvirt 0.8.3-5+squeeze1
Date: Wed, 23 Mar 2011 09:44:04 +0000
Source: libvirt
Source-Version: 0.8.3-5+squeeze1

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive:

libvirt-bin_0.8.3-5+squeeze1_i386.deb
  to main/libv/libvirt/libvirt-bin_0.8.3-5+squeeze1_i386.deb
libvirt-dev_0.8.3-5+squeeze1_i386.deb
  to main/libv/libvirt/libvirt-dev_0.8.3-5+squeeze1_i386.deb
libvirt-doc_0.8.3-5+squeeze1_all.deb
  to main/libv/libvirt/libvirt-doc_0.8.3-5+squeeze1_all.deb
libvirt0-dbg_0.8.3-5+squeeze1_i386.deb
  to main/libv/libvirt/libvirt0-dbg_0.8.3-5+squeeze1_i386.deb
libvirt0_0.8.3-5+squeeze1_i386.deb
  to main/libv/libvirt/libvirt0_0.8.3-5+squeeze1_i386.deb
libvirt_0.8.3-5+squeeze1.debian.tar.gz
  to main/libv/libvirt/libvirt_0.8.3-5+squeeze1.debian.tar.gz
libvirt_0.8.3-5+squeeze1.dsc
  to main/libv/libvirt/libvirt_0.8.3-5+squeeze1.dsc
python-libvirt_0.8.3-5+squeeze1_i386.deb
  to main/libv/libvirt/python-libvirt_0.8.3-5+squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 617773@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Mar 2011 21:33:33 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.8.3-5+squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - the programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 617773
Changes: 
 libvirt (0.8.3-5+squeeze1) stable-security; urgency=low
 .
   * [0ee351f] [CVE-2011-1146] Add missing checks for read only connections.
     Some API forgot to check the read-only status of the connection for
     entry point which modify the state of the system or may lead to a remote
     execution using user data.
     The entry points concerned are:
       - virConnectDomainXMLToNative
       - virNodeDeviceDettach
       - virNodeDeviceReAttach
       - virNodeDeviceReset
       - virDomainRevertToSnapshot
       - virDomainSnapshotDelete
     src/libvirt.c: fix the above set of entry points to error on read-only
     (Closes: #617773)
Checksums-Sha1: 
 5e9cdf77c59492365589e8f9fcaca5398e850acb 1910 libvirt_0.8.3-5+squeeze1.dsc
 4dc92139031f2af3141c2b1d0813b57ecd735c5d 12430752 libvirt_0.8.3.orig.tar.gz
 06055fe552e57c43515a03fc4a44a07deb0a57f1 30169 libvirt_0.8.3-5+squeeze1.debian.tar.gz
 1c19211ced39c177468c4870f86e89f98375188b 1120026 libvirt-doc_0.8.3-5+squeeze1_all.deb
 917f5e27ed1c39b6d72003dac8d5d60a87a1f9a4 1022162 libvirt-bin_0.8.3-5+squeeze1_i386.deb
 26a3fd1605f5cc158ebfa1018ddaf1b70bf453f7 954860 libvirt0_0.8.3-5+squeeze1_i386.deb
 241a8434e6858dcb2096a32d2e84cf1f06d100f4 3045724 libvirt0-dbg_0.8.3-5+squeeze1_i386.deb
 a5f262d2066dcddbce28b56b0d160f8f5a671bf8 1176458 libvirt-dev_0.8.3-5+squeeze1_i386.deb
 82a41aee83feb2a5fca89abe1120a5e646b19f9b 440134 python-libvirt_0.8.3-5+squeeze1_i386.deb
Checksums-Sha256: 
 27c3781098f5c6f45582a08321e94c7e5ba273a671b46aadaf58cfb319c4ba53 1910 libvirt_0.8.3-5+squeeze1.dsc
 35e1836c3947ac3edd7b4a1948cf13f5f13dd3e5bb31933d627d771b1e997a1f 12430752 libvirt_0.8.3.orig.tar.gz
 f9fca6e0bf3f3434acb59562a1405953b93f1686f53893d9584dd182d31c4be2 30169 libvirt_0.8.3-5+squeeze1.debian.tar.gz
 3058008b7735dc546750a7380dcc1ba7d9f96e244bc33fd194a2fd34d8fe417f 1120026 libvirt-doc_0.8.3-5+squeeze1_all.deb
 478a98af610d2b3b12dccd49cfd73732836450eec14507b093faa67dee8452d0 1022162 libvirt-bin_0.8.3-5+squeeze1_i386.deb
 1d05e07c8596ae9d0ad77412986468cd2bcf233b11c20086905c84011c938d5d 954860 libvirt0_0.8.3-5+squeeze1_i386.deb
 6614a747c10050dc51baa093a3fd552afbd7521c9c7850b62dd99f9318c4cd2c 3045724 libvirt0-dbg_0.8.3-5+squeeze1_i386.deb
 079b35103864c6b472be3c49a391ad74f50b622a263a354b3a965db47274b6de 1176458 libvirt-dev_0.8.3-5+squeeze1_i386.deb
 efb3e8d596ce7c9f97d7ab4c4248c5050be4261389ef3d64ebfe11a5f14ca19d 440134 python-libvirt_0.8.3-5+squeeze1_i386.deb
Files: 
 91055f0638e8b59c0b6b064be034e26e 1910 libs optional libvirt_0.8.3-5+squeeze1.dsc
 ae8535ce119d32a2e9fb1f46e2c8f325 12430752 libs optional libvirt_0.8.3.orig.tar.gz
 6ecc8db35e8634de348ed3f695553ce5 30169 libs optional libvirt_0.8.3-5+squeeze1.debian.tar.gz
 9500e700dfb4cb17f0ac28956d841415 1120026 doc optional libvirt-doc_0.8.3-5+squeeze1_all.deb
 620959491e8f6186a9998b547a4b9e71 1022162 admin optional libvirt-bin_0.8.3-5+squeeze1_i386.deb
 3ae9e78cf2a8a8fa6a6f6ca8fd9b8d80 954860 libs optional libvirt0_0.8.3-5+squeeze1_i386.deb
 0a5557c1c008f9c48b9b8b404ed0aaae 3045724 debug extra libvirt0-dbg_0.8.3-5+squeeze1_i386.deb
 e69d0b433cb79bc9cd0d18cb91afd60c 1176458 libdevel optional libvirt-dev_0.8.3-5+squeeze1_i386.deb
 c158c81c5074972f29992c6d5e9f1d5e 440134 python optional python-libvirt_0.8.3-5+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNgboXn88szT8+ZCYRAm0xAJ9Y8qS30/PePM3HmQyY9ktSJ4VEWgCffm+H
ZM8FgUoXmzNFt8gioCgFl1s=
=g0Gz
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 25 May 2011 07:38:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:25:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.