oss-sec mailing list archives

CVE request -- libguestfs: virt-edit doesn't preserve file permissions

From: Petr Matousek <pmatouse () redhat com>
Date: Mon, 11 Jun 2012 18:21:19 +0200

Description of the problem:
virt-edit creates a new file when it is used and thus does not
preserve file permissions, file owner and SELinux context on the
files that it was editing.

As a consequence, if certain security-sensitive files in the guest
were edited using virt-edit, they would become world-readable.

Proposed upstream patch:
https://www.redhat.com/archives/libguestfs/2012-February/msg00034.html

References:
https://www.redhat.com/archives/libguestfs/2012-February/msg00033.html
https://bugzilla.redhat.com/show_bug.cgi?id=788642

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE request -- libguestfs: virt-edit doesn't preserve file permissions Petr Matousek (Jun 11)
- Re: CVE request -- libguestfs: virt-edit doesn't preserve file permissions Kurt Seifried (Jun 11)