SHA256
1
0
forked from pool/libvirt
libvirt/8c3586ea-CVE-2013-4400.patch
James Fehlig fffa5dcc99 - CVE-2013-4400: Unsantized use of env variables allows privilege
escalation via virt-login-shell
  ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch,
  b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch,
  CVE-2013-4400-build-fix.patch
  bnc#837609
- CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native
  57687fd6-CVE-2013-4401.patch
  bnc#845704

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=315
2013-10-21 21:49:57 +00:00

62 lines
2.1 KiB
Diff

commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Wed Oct 9 10:59:36 2013 +0100
Only allow 'stderr' log output when running setuid (CVE-2013-4400)
We must not allow file/syslog/journald log outputs when running
setuid since they can be abused to do bad things. In particular
the 'file' output can be used to overwrite files.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-1.1.2/src/util/virlog.c
===================================================================
--- libvirt-1.1.2.orig/src/util/virlog.c
+++ libvirt-1.1.2/src/util/virlog.c
@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
* Multiple output can be defined in a single @output, they just need to be
* separated by spaces.
*
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
* Returns the number of output parsed and installed or -1 in case of error
*/
int
@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
virLogPriority prio;
int ret = -1;
int count = 0;
+ bool isSUID = virIsSUID();
if (cur == NULL)
return -1;
@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
if (virLogAddOutputToStderr(prio) == 0)
count++;
} else if (STREQLEN(cur, "syslog", 6)) {
+ if (isSUID)
+ goto cleanup;
cur += 6;
if (*cur != ':')
goto cleanup;
@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
#endif /* HAVE_SYSLOG_H */
} else if (STREQLEN(cur, "file", 4)) {
+ if (isSUID)
+ goto cleanup;
cur += 4;
if (*cur != ':')
goto cleanup;
@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
VIR_FREE(abspath);
} else if (STREQLEN(cur, "journald", 8)) {
+ if (isSUID)
+ goto cleanup;
cur += 8;
#if USE_JOURNALD
if (virLogAddOutputToJournald(prio) == 0)