[Pkg-libvirt-commits] [libvirt] 03/04: CVE-2015-5313: storage: don't allow '/' in filesystem volume names
Guido Guenther
agx at moszumanska.debian.org
Fri Dec 18 08:04:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to annotated tag debian/1.3.0-1
in repository libvirt.
commit 4fb53c73477dc34b7e771861ea90b9349ca5a743
Author: Guido Günther <agx at sigxcpu.org>
Date: Thu Dec 17 08:15:56 2015 +0100
CVE-2015-5313: storage: don't allow '/' in filesystem volume names
---
...orage-don-t-allow-in-filesystem-volume-na.patch | 69 ++++++++++++++++++++++
.../debian/Debianize-systemd-service-files.patch | 2 +-
debian/patches/series | 1 +
3 files changed, 71 insertions(+), 1 deletion(-)
diff --git a/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch b/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
new file mode 100644
index 0000000..fc8026a
--- /dev/null
+++ b/debian/patches/CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
@@ -0,0 +1,69 @@
+From: Eric Blake <eblake at redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: CVE-2015-5313: storage: don't allow '/' in filesystem volume names
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool. For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege). But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <eblake at redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c
+index 99ea394..39659bf 100644
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+ * storage_backend_fs.c: storage backend for FS and directory handling
+ *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+ * Copyright (C) 2007-2008 Daniel P. Berrange
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -1057,6 +1057,14 @@ virStorageBackendFileSystemVolCreate(virConnectPtr conn ATTRIBUTE_UNUSED,
+ else
+ vol->type = VIR_STORAGE_VOL_FILE;
+
++ /* Volumes within a directory pools are not recursive; do not
++ * allow escape to ../ or a subdir */
++ if (strchr(vol->name, '/')) {
++ virReportError(VIR_ERR_OPERATION_INVALID,
++ _("volume name '%s' cannot contain '/'"), vol->name);
++ return -1;
++ }
++
+ VIR_FREE(vol->target.path);
+ if (virAsprintf(&vol->target.path, "%s/%s",
+ pool->def->target.path,
diff --git a/debian/patches/debian/Debianize-systemd-service-files.patch b/debian/patches/debian/Debianize-systemd-service-files.patch
index 765467e..c98feef 100644
--- a/debian/patches/debian/Debianize-systemd-service-files.patch
+++ b/debian/patches/debian/Debianize-systemd-service-files.patch
@@ -8,7 +8,7 @@ Subject: Debianize systemd service files
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in
-index 9e67e43..d9b0841 100644
+index 608221c..fb81712 100644
--- a/daemon/libvirtd.service.in
+++ b/daemon/libvirtd.service.in
@@ -12,8 +12,8 @@ Documentation=http://libvirt.org
diff --git a/debian/patches/series b/debian/patches/series
index a1b31c3..f3143d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ debian/Use-upstreams-polkit-rule.patch
Allow-access-to-libnl-3-config-files.patch
debian/apparmor_profiles_local_include.patch
debian/libsystemd.patch
+CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list