Richard W.M. Jones
2012-Jun-14 11:25 UTC
[Libguestfs] FYI: CVE-2012-2690: virt-edit / guestfish edit didn't preserve permissions on edited files.
Old versions of both virt-edit and the guestfish "edit" command created a new file containing the changes but did not set the permissions, etc of the new file to match the old one. The result of this was that if you edited a security sensitive file such as "/etc/shadow" then it would be left world-readable after the edit. This issue was assigned CVE-2012-2690, and is fixed in libguestfs >= 1.16. For further information, see https://bugzilla.redhat.com/show_bug.cgi?id=788642 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v
Seemingly Similar Threads
- [p2v PATCH] tests: require virt-v2v for functional tests
- FYI: Some changes to libguestfs / libguestfs-winsupport / virt-v2v / virt-p2v in RHEL 7.2
- ANNOUNCE: CVE-2013-4419: insecure temporary directory handling for guestfish's network socket
- Fix virt-edit so it preserves permissions (RHBZ#788641)
- ANNOUNCE: libguestfs 1.20 - tools for accessing and modifying virtual machine disk images
Wisdom of the Ancients
