Libguestfs - Oct 2013 - ANNOUNCE: CVE-2013-4419: insecure temporary directory handling for guestfish's network socket

This issue has been assigned CVE-2013-4419.

https://bugzilla.redhat.com/show_bug.cgi?id=1016960
(Note this bug is private, but will be made public shortly)

----------------------------------------------------------------------

When using the guestfish --remote or guestfish --listen options,
guestfish would create a socket in a known location
(/tmp/.guestfish-$UID/socket-$PID).

The location has to be a known one in order for both ends to
communicate.  However no checking was done that the containing
directory (/tmp/.guestfish-$UID) is owned by the user.  Thus another
user could create this directory and potentially modify sockets owned
by another user's guestfish client or server.

Thanks: Michael Scherer for discovering this issue.

----------------------------------------------------------------------

You can remediate this issue in one of three ways:

(1) Apply the attached patch to libguestfs and rebuild from source.

(2) Run the following command on your system before using the
guestfish --listen option.  Pay attention to any errors from mkdir,
which might indicate that the directory has been hijacked.

    rm -rf /tmp/.guestfish-`id -u`
    mkdir -m 0700 /tmp/.guestfish-`id -u`

(3) Wait for new packages to become available shortly.  This afternoon
I will build packages for Fedora, which will be available through
updates-testing.  Packages will be available for RHEL 6 shortly
through RHEL channels.  Debian and SuSE maintainers were made aware of
this issue and will provide packages.

----------------------------------------------------------------------

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org