[Libguestfs] CVE-2015-5745: Vulnerability in qemu virtio-serial feature could affect libguestfs
Richard W.M. Jones
rjones at redhat.com
Thu Aug 6 15:34:02 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1251157
This is not a vulnerability in libguestfs, but because we always give
a virtio-serial port to each guest (since that is how guest-host
communication happens), an escalation from the appliance to the host
qemu process is possible. This could affect you if:
- your libguestfs program runs untrusted programs out of the guest
(eg. using guestfs_sh etc)
- another exploit was found in (eg) kernel filesystem code that
allowed a malformed filesystem to take over the appliance
If you use sVirt to confine qemu, that would thwart some/all attacks.
Patching qemu recommended.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list