[Pkg-libvirt-commits] [libvirt] 03/04: CVE-2015-5313: storage: don't allow '/' in filesystem volume names

Guido Guenther agx at moszumanska.debian.org
Fri Dec 18 08:04:28 UTC 2015 

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/1.3.0-1
in repository libvirt.

commit 4fb53c73477dc34b7e771861ea90b9349ca5a743
Author: Guido Günther <agx at sigxcpu.org>
Date:   Thu Dec 17 08:15:56 2015 +0100

    CVE-2015-5313: storage: don't allow '/' in filesystem volume names
---
 ...orage-don-t-allow-in-filesystem-volume-na.patch | 69 ++++++++++++++++++++++
 .../debian/Debianize-systemd-service-files.patch   |  2 +-
 debian/patches/series                              |  1 +
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch b/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
new file mode 100644
index 0000000..fc8026a
--- /dev/null
+++ b/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
@@ -0,0 +1,69 @@
+From: Eric Blake <eblake at redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: CVE-2015-5313: storage: don't allow '/' in filesystem volume names
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool.  For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege).  But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <eblake at redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c
+index 99ea394..39659bf 100644
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+  * storage_backend_fs.c: storage backend for FS and directory handling
+  *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+  * Copyright (C) 2007-2008 Daniel P. Berrange
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -1057,6 +1057,14 @@ virStorageBackendFileSystemVolCreate(virConnectPtr conn ATTRIBUTE_UNUSED,
+     else
+         vol->type = VIR_STORAGE_VOL_FILE;
+ 
++    /* Volumes within a directory pools are not recursive; do not
++     * allow escape to ../ or a subdir */
++    if (strchr(vol->name, '/')) {
++        virReportError(VIR_ERR_OPERATION_INVALID,
++                       _("volume name '%s' cannot contain '/'"), vol->name);
++        return -1;
++    }
++
+     VIR_FREE(vol->target.path);
+     if (virAsprintf(&vol->target.path, "%s/%s",
+                     pool->def->target.path,
diff --git a/debian/patches/debian/Debianize-systemd-service-files.patch b/debian/patches/debian/Debianize-systemd-service-files.patch
index 765467e..c98feef 100644
--- a/debian/patches/debian/Debianize-systemd-service-files.patch
+++ b/debian/patches/debian/Debianize-systemd-service-files.patch
@@ -8,7 +8,7 @@ Subject: Debianize systemd service files
  2 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in
-index 9e67e43..d9b0841 100644
+index 608221c..fb81712 100644
 --- a/daemon/libvirtd.service.in
 +++ b/daemon/libvirtd.service.in
 @@ -12,8 +12,8 @@ Documentation=http://libvirt.org
diff --git a/debian/patches/series b/debian/patches/series
index a1b31c3..f3143d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ debian/Use-upstreams-polkit-rule.patch
 Allow-access-to-libnl-3-config-files.patch
 debian/apparmor_profiles_local_include.patch
 debian/libsystemd.patch
+CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git

More information about the Pkg-libvirt-commits mailing list