[Libvirt-announce] LSN-2014-0002: Missing access control check on events
Libvirt Security Notice: LSN-2014-0002
======================================
Summary: Missing access control check on events
Reported on: 20140103
Published on: 20140115
Fixed on: 20140115
Reported by: Eric Blake <eblake(a)redhat.com>
Patched by: Eric Blake <eblake(a)redhat.com>
See also: CVE-2014-0028
Description
-----------
The asynchronous events were not filtered based on any permission
check prior to being dispatched to the client. This could lead to
the client learning about the existance of domains that they are not
authorized to see
Impact
------
A client can use events to learn of domains that they are not
authorized to see.
Workaround
----------
Prevent untrusted clients from connecting to libvirtd
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Fixed in: v1.2.1
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: f9f56340539d609cdc2e9d4ab812b9f146c3f100
Branch: v1.1.0-maint
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: cdf29d950c247d06aaa69778238d7cc164c05291
Branch: v1.1.1-maint
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: 1d0e4fbf9572ad34045a4f9d87601297a5244c38
Branch: v1.1.2-maint
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: fb5a3190c6409897744a244c6e0d5e2d52d34b39
Branch: v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: 51afa9a255d7a073373ad4533eff58bd819890e8
Branch: v1.1.4-maint
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: 7ccc13599652722d6aa000b61270c0786d610b9e
Branch: v1.2.0-maint
Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
Fixed by: eb7ec2312ba968c745031c7432b4fd007cd52d3a
--
|: Http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|