[Libvirt-announce] LSN-2014-0002: Missing access control check on events

Daniel P. Berrange berrange at redhat.com
Fri Jan 17 14:30:33 UTC 2014 

        Libvirt Security Notice: LSN-2014-0002
        ======================================

       Summary: Missing access control check on events
   Reported on: 20140103
  Published on: 20140115
      Fixed on: 20140115
   Reported by: Eric Blake <eblake at redhat.com>                    
    Patched by: Eric Blake <eblake at redhat.com>                
      See also: CVE-2014-0028

Description
-----------

The asynchronous events were not filtered based on any permission
check prior to being dispatched to the client. This could lead to
the client learning about the existance of domains that they are not
authorized to see

Impact
------

A client can use events to learn of domains that they are not
authorized to see.

Workaround
----------

Prevent untrusted clients from connecting to libvirtd

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
    Fixed in: v1.2.1
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: f9f56340539d609cdc2e9d4ab812b9f146c3f100

      Branch: v1.1.0-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: cdf29d950c247d06aaa69778238d7cc164c05291

      Branch: v1.1.1-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 1d0e4fbf9572ad34045a4f9d87601297a5244c38

      Branch: v1.1.2-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: fb5a3190c6409897744a244c6e0d5e2d52d34b39

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 51afa9a255d7a073373ad4533eff58bd819890e8

      Branch: v1.1.4-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 7ccc13599652722d6aa000b61270c0786d610b9e

      Branch: v1.2.0-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: eb7ec2312ba968c745031c7432b4fd007cd52d3a


-- 
|: Http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the Libvirt-announce mailing list