Bug 845704 (CVE-2013-4401) - VUL-0: CVE-2013-4401: libvirt: incorrect perms for virConnectDomainXML{To, From}Native
Summary: VUL-0: CVE-2013-4401: libvirt: incorrect perms for virConnectDomainXML{To, Fr...
Status: RESOLVED FIXED
Alias: CVE-2013-4401
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-14 08:10 UTC by Marcus Meissner
Modified: 2013-10-31 12:58 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-14 08:10:04 UTC 
via libvirt security, not yet public

CVE-2013-4401

The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.

Also make virConnectDomainXMLFromNative API require a full
read-write connection and connect:read permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 2 Swamp Workflow Management 2013-10-14 22:00:15 UTC 
bugbot adjusting priority
Comment 6 Bernhard Wiedemann 2013-10-26 02:00:39 UTC 
This is an autogenerated message for OBS integration:
This bug (845704) was mentioned in
https://build.opensuse.org/request/show/204842 Factory / libvirt
Comment 7 James Fehlig 2013-10-26 02:32:15 UTC 
Now submitted to Factory / 13.1 - SR#204842.  Both fixes mentioned in #5 are included in the submission.  I think I'm done here - reassigning to security.
Comment 8 Marcus Meissner 2013-10-30 06:54:57 UTC 
thx!