Bugzilla – Bug 837530
VUL-0: CVE-2013-4291: libvirt: provide supplemental groups even when parsing label
Last modified: 2015-03-05 14:47:00 UTC
not yet public, discussed on libvirt security list Please keep inside SUSE! On Fri, Aug 23, 2013 at 09:58:07AM -0600, Eric Blake wrote: > Commit 29fe5d7 (first in 1.1.1) introduced a latent problem for > any caller of virSecurityManagerSetProcessLabel and where the > domain already had a uid:gid label to be parsed. Such a setup > would collect the list of supplementary groups during > virSecurityManagerPreFork, but then ignores that information, > and thus fails to call setgroups() to adjust the supplementary > groups of the process. CVE-2013-4291 final patch still in discussion are we affected by this?
(In reply to comment #0) > are we affected by this? Only in Factory.
libvirt 1.1.2, which will contain a fix for this issue, will be released early next week. I'll update Factory then, instead of wasting time backporting patches to 1.1.1
bugbot adjusting priority
Submitted libvirt 1.1.2 to Factory, SR#197361.
This is an autogenerated message for OBS integration: This bug (837530) was mentioned in https://build.opensuse.org/request/show/197361 Factory / libvirt
Closing bug as only Factory was affected and was already fixed.
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)