[libvirt] LSN-2014-0009: CVE-2014-8135 crash when using virStorageVolUpload

Eric Blake eblake at redhat.com
Tue Dec 23 20:53:35 UTC 2014 

        Libvirt Security Notice: LSN-2014-0009
        ======================================

       Summary: crash when using virStorageVolUpload
   Reported on: 20141202
  Published on: 20141203
      Fixed on: 20141203
   Reported by: Pei Zhang <pzhang at redhat.com>
    Patched by: Luyao Huang <lhuang at redhat.com>
      See also: CVE-2014-8135

Description
-----------

Incorrect parameter validation of the virStorageVolUpload command
could cause libvirtd to attempt to dereference NULL.

Impact
------

When using fine-grained ACLs, a user that is permitted to modify
storage volumes but not create arbitrary domains can use bogus
parameters to cause a denial of service attack against more
privileged users.

Workaround
----------

Passing valid parameters to virStorageVolUpload will not trigger a
problem. It is also possible to prevent the denial of service by
stopping the use of the fine grained access control mechanism, or by
not granting users the storage_vol:data_write permission if they do
not also have the domain:write permission; doing this will not
prevent the crash for invalid parameters, but such a crash is no
longer a security attack.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
    Fixed in: v1.2.11
   Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
    Fixed by: 87b9437f8951f9d24f9a85c6bbfff0e54df8c984

      Branch: v1.2.8-maint
   Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
    Fixed by: 05ba8c50b15f7078ba7981f550fc59c3dc74c469

      Branch: v1.2.9-maint
   Broken in: v1.2.9.1
   Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
    Fixed by: 584e876ba2057b472074dbf177d2397392d70363

      Branch: v1.2.10-maint
   Broken by: 4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7
    Fixed by: c89df3695b397d155ca15ac174c983ae9a77387e


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141223/45ea5394/attachment-0001.sig>

More information about the libvir-list mailing list