[Pkg-libvirt-commits] [libvirt] 01/04: CVE-2015-5313: Don't allow allow '/' in filesystem volume

Guido Guenther agx at moszumanska.debian.org
Fri Mar 25 14:42:23 UTC 2016 

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/1.2.9-9+deb8u2
in repository libvirt.

commit 16e52e6bac8227b87ea96c94dc6d4878b3af5a40
Author: Philipp Hahn <pmhahn at pmhahn.de>
Date:   Fri Mar 25 11:06:11 2016 +0100

    CVE-2015-5313: Don't allow allow '/' in filesystem volume
    
    Closes: #808273
---
 ...13-storage-don-t-allow-in-filesystem-volu.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 73 insertions(+)

diff --git a/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
new file mode 100644
index 0000000..90e9610
--- /dev/null
+++ b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
@@ -0,0 +1,72 @@
+From 034e47c338b13a95cf02106a3af912c1c5f818d7 Mon Sep 17 00:00:00 2001
+Message-Id: <034e47c338b13a95cf02106a3af912c1c5f818d7.1457088964.git.hahn at univention.de>
+From: Eric Blake <eblake at redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume
+ names
+Organization: Univention GmbH, Bremen, Germany
+To: libvir-list at redhat.com
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool.  For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege).  But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <eblake at redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+  * storage_backend_fs.c: storage backend for FS and directory handling
+  *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+  * Copyright (C) 2007-2008 Daniel P. Berrange
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -1005,6 +1005,14 @@ virStorageBackendFileSystemVolCreate(vir
+ 
+     vol->type = VIR_STORAGE_VOL_FILE;
+ 
++    /* Volumes within a directory pools are not recursive; do not
++     * allow escape to ../ or a subdir */
++    if (strchr(vol->name, '/')) {
++        virReportError(VIR_ERR_OPERATION_INVALID,
++                       _("volume name '%s' cannot contain '/'"), vol->name);
++        return -1;
++    }
++
+     VIR_FREE(vol->target.path);
+     if (virAsprintf(&vol->target.path, "%s/%s",
+                     pool->def->target.path,
diff --git a/debian/patches/series b/debian/patches/series
index bac1f34..69667f6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
 Allow-access-to-libnl-3-config-files.patch
 Fix-crash-on-live-migration.patch
 upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git

More information about the Pkg-libvirt-commits mailing list