Libguestfs - Oct 2010 - CVE-2010-3851 libguestfs: missing disk format specifier when adding a disk

(This bug was found by Matthew Booth during routine code review)

We found a security issue which affects libguestfs programs in some
circumstances.  Since we don't pass the disk format through to qemu, a
malicious guest backed by raw-format storage might craft a qcow2
header into its own disk.  QEmu would interpret this, and qcow2 offers
a wide range of features such as accessing arbitrary backing files
from the host, allowing the guest to read a host file (under rather
narrow conditions, see below).

All versions of virt-v2v are vulnerable.  virt-inspector is vulnerable
for versions <= 1.5.3.  Other programs that use libguestfs may be
vulnerable.

You should review the bug below carefully to find out if you could be
affected, particularly the Description and Comment 1:

  https://bugzilla.redhat.com/show_bug.cgi?id=643958

A CVE has been allocated to this bug:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2010-3851

No fix is available at present, but we are working on one.  In the
meantime, avoid using libguestfs / tools on:

 - untrusted, malicious guests that use raw-format storage
 - where you are running commands from these guests
   (http://libguestfs.org/guestfs.3.html#running_commands)

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora