forked from pool/libvirt
fffa5dcc99
escalation via virt-login-shell ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch, CVE-2013-4400-build-fix.patch bnc#837609 - CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native 57687fd6-CVE-2013-4401.patch bnc#845704 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=315
62 lines
2.1 KiB
Diff
62 lines
2.1 KiB
Diff
commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
|
|
Author: Daniel P. Berrange <berrange@redhat.com>
|
|
Date: Wed Oct 9 10:59:36 2013 +0100
|
|
|
|
Only allow 'stderr' log output when running setuid (CVE-2013-4400)
|
|
|
|
We must not allow file/syslog/journald log outputs when running
|
|
setuid since they can be abused to do bad things. In particular
|
|
the 'file' output can be used to overwrite files.
|
|
|
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
|
Index: libvirt-1.1.2/src/util/virlog.c
|
|
===================================================================
|
|
--- libvirt-1.1.2.orig/src/util/virlog.c
|
|
+++ libvirt-1.1.2/src/util/virlog.c
|
|
@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
|
|
* Multiple output can be defined in a single @output, they just need to be
|
|
* separated by spaces.
|
|
*
|
|
+ * If running in setuid mode, then only the 'stderr' output will
|
|
+ * be allowed
|
|
+ *
|
|
* Returns the number of output parsed and installed or -1 in case of error
|
|
*/
|
|
int
|
|
@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
|
|
virLogPriority prio;
|
|
int ret = -1;
|
|
int count = 0;
|
|
+ bool isSUID = virIsSUID();
|
|
|
|
if (cur == NULL)
|
|
return -1;
|
|
@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
|
|
if (virLogAddOutputToStderr(prio) == 0)
|
|
count++;
|
|
} else if (STREQLEN(cur, "syslog", 6)) {
|
|
+ if (isSUID)
|
|
+ goto cleanup;
|
|
cur += 6;
|
|
if (*cur != ':')
|
|
goto cleanup;
|
|
@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
|
|
VIR_FREE(name);
|
|
#endif /* HAVE_SYSLOG_H */
|
|
} else if (STREQLEN(cur, "file", 4)) {
|
|
+ if (isSUID)
|
|
+ goto cleanup;
|
|
cur += 4;
|
|
if (*cur != ':')
|
|
goto cleanup;
|
|
@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
|
|
VIR_FREE(name);
|
|
VIR_FREE(abspath);
|
|
} else if (STREQLEN(cur, "journald", 8)) {
|
|
+ if (isSUID)
|
|
+ goto cleanup;
|
|
cur += 8;
|
|
#if USE_JOURNALD
|
|
if (virLogAddOutputToJournald(prio) == 0)
|