845720 – (CVE-2013-4419) VUL-0: CVE-2013-4419: libguestfs: predictable tmp socket names

Bug 845720 (CVE-2013-4419) - VUL-0: CVE-2013-4419: libguestfs: predictable tmp socket names

Summary: VUL-0: CVE-2013-4419: libguestfs: predictable tmp socket names

Status:	RESOLVED FIXED

Alias:	CVE-2013-4419

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Deadline:	2013-10-21
Assignee:	Olaf Hering
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:54703
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-14 09:41 UTC by Marcus Meissner
Modified:	2013-11-27 09:13 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Swamp Workflow Management 2013-10-14 09:55:31 UTC

The SWAMPID for this issue is 54702.
This issue was rated as important.
Please submit fixed packages until 2013-10-21.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 4 Marcus Meissner 2013-10-14 10:00:11 UTC

reproduce:

as another testuser create:
mkdir /tmp/.guestfish-UIDLOCALUSER   (UIDLOCALUSER of user test)
chmod 777 /tmp/.guestfish-UIDLOCALUSER

and then start guestfish and see if it creates sockets within the directory
owned by a different user.

It should not allow that.

Comment 6 Bernhard Wiedemann 2013-10-18 10:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (845720) was mentioned in
https://build.opensuse.org/request/show/203711 Factory / libguestfs

Comment 7 Marcus Meissner 2013-10-18 13:13:39 UTC

is public now:


libguestfs is a library for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode (using the "--listen" option). If guestfish were run with the "--listen" option, a local attacker could use this flaw to intercept and modify other users' guestfish commands, allowing them to perform arbitrary guestfish actions (such as modifying virtual machines) with the privileges of a different user, or use this flaw to obtain authentication credentials.

Acknowledgements:

This issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Comment 8 Bernhard Wiedemann 2013-10-21 08:00:30 UTC

This is an autogenerated message for OBS integration:
This bug (845720) was mentioned in
https://build.opensuse.org/request/show/204077 Factory / libguestfs

Comment 9 Bernhard Wiedemann 2013-10-21 09:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (845720) was mentioned in
https://build.opensuse.org/request/show/204088 Factory / libguestfs

Comment 10 Bernhard Wiedemann 2013-10-21 16:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (845720) was mentioned in
https://build.opensuse.org/request/show/204212 Factory / libguestfs

Comment 11 Swamp Workflow Management 2013-11-04 12:56:25 UTC

Update released for: guestfs-data, guestfs-tools, guestfsd, libguestfs, libguestfs-debuginfo, libguestfs-debugsource, libguestfs-devel, libguestfs0
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 12 Marcus Meissner 2013-11-27 09:13:25 UTC

was released