Richard W.M. Jones
2015-Aug-06 15:34 UTC
[Libguestfs] CVE-2015-5745: Vulnerability in qemu virtio-serial feature could affect libguestfs
https://bugzilla.redhat.com/show_bug.cgi?id=1251157 This is not a vulnerability in libguestfs, but because we always give a virtio-serial port to each guest (since that is how guest-host communication happens), an escalation from the appliance to the host qemu process is possible. This could affect you if: - your libguestfs program runs untrusted programs out of the guest (eg. using guestfs_sh etc) - another exploit was found in (eg) kernel filesystem code that allowed a malformed filesystem to take over the appliance If you use sVirt to confine qemu, that would thwart some/all attacks. Patching qemu recommended. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Possibly Parallel Threads
- ANNOUNCE: libguestfs 1.32 released
- [PATCH] customize: Create .ssh as 0700 and .ssh/authorized_keys as 0600 (RHBZ#1260778).
- NOTE: In libguestfs 1.19.41, the libvirt backend will have sVirt enabled by default
- does the openSSL security vulnerability (CVE-2014-0224) affect openssh?
- ANNOUNCE: libguestfs 1.20 - tools for accessing and modifying virtual machine disk images