Red Hat Security Advisory: libguestfs security, bug fix, and enhancement update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:0774 Final 4 4 2012-06-20T08:18:00Z Current version 2012-06-20T08:18:00Z 2012-06-20T08:18:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-06-20T09:00:33Z Updated libguestfs packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. libguestfs is a library for accessing and modifying guest disk images. It was found that editing files with virt-edit left said files in a world-readable state (and did not preserve the file owner or Security-Enhanced Linux context). If an administrator on the host used virt-edit to edit a file inside a guest, the file would be left with world-readable permissions. This could lead to unprivileged guest users accessing files they would otherwise be unable to. (CVE-2012-2690) These updated libguestfs packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for information on the most significant of these changes. Users of libguestfs are advised to upgrade to these updated packages, which fix these issues and add these enhancements. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Low https://rhn.redhat.com/errata/RHSA-2012-0774.html https://rhn.redhat.com/errata/RHSA-2012-0774.html https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/security/updates/classification/#low https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/libguestfs.html#RHSA-2012-0774 https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/libguestfs.html#RHSA-2012-0774 https://bugzilla.redhat.com/show_bug.cgi?id=647174 https://bugzilla.redhat.com/show_bug.cgi?id=647174 https://bugzilla.redhat.com/show_bug.cgi?id=679737 https://bugzilla.redhat.com/show_bug.cgi?id=679737 https://bugzilla.redhat.com/show_bug.cgi?id=719879 https://bugzilla.redhat.com/show_bug.cgi?id=719879 https://bugzilla.redhat.com/show_bug.cgi?id=729076 https://bugzilla.redhat.com/show_bug.cgi?id=729076 https://bugzilla.redhat.com/show_bug.cgi?id=731742 https://bugzilla.redhat.com/show_bug.cgi?id=731742 https://bugzilla.redhat.com/show_bug.cgi?id=741183 https://bugzilla.redhat.com/show_bug.cgi?id=741183 https://bugzilla.redhat.com/show_bug.cgi?id=760221 https://bugzilla.redhat.com/show_bug.cgi?id=760221 https://bugzilla.redhat.com/show_bug.cgi?id=769359 https://bugzilla.redhat.com/show_bug.cgi?id=769359 https://bugzilla.redhat.com/show_bug.cgi?id=785305 https://bugzilla.redhat.com/show_bug.cgi?id=785305 https://bugzilla.redhat.com/show_bug.cgi?id=785668 https://bugzilla.redhat.com/show_bug.cgi?id=785668 https://bugzilla.redhat.com/show_bug.cgi?id=789960 https://bugzilla.redhat.com/show_bug.cgi?id=789960 https://bugzilla.redhat.com/show_bug.cgi?id=790958 https://bugzilla.redhat.com/show_bug.cgi?id=790958 https://bugzilla.redhat.com/show_bug.cgi?id=795322 https://bugzilla.redhat.com/show_bug.cgi?id=795322 https://bugzilla.redhat.com/show_bug.cgi?id=796520 https://bugzilla.redhat.com/show_bug.cgi?id=796520 https://bugzilla.redhat.com/show_bug.cgi?id=797760 https://bugzilla.redhat.com/show_bug.cgi?id=797760 https://bugzilla.redhat.com/show_bug.cgi?id=798197 https://bugzilla.redhat.com/show_bug.cgi?id=798197 https://bugzilla.redhat.com/show_bug.cgi?id=798980 https://bugzilla.redhat.com/show_bug.cgi?id=798980 https://bugzilla.redhat.com/show_bug.cgi?id=799695 https://bugzilla.redhat.com/show_bug.cgi?id=799695 https://bugzilla.redhat.com/show_bug.cgi?id=799798 https://bugzilla.redhat.com/show_bug.cgi?id=799798 https://bugzilla.redhat.com/show_bug.cgi?id=801273 https://bugzilla.redhat.com/show_bug.cgi?id=801273 https://bugzilla.redhat.com/show_bug.cgi?id=801788 https://bugzilla.redhat.com/show_bug.cgi?id=801788 https://bugzilla.redhat.com/show_bug.cgi?id=803699 https://bugzilla.redhat.com/show_bug.cgi?id=803699 https://bugzilla.redhat.com/show_bug.cgi?id=807557 https://bugzilla.redhat.com/show_bug.cgi?id=807557 https://bugzilla.redhat.com/show_bug.cgi?id=807905 https://bugzilla.redhat.com/show_bug.cgi?id=807905 https://bugzilla.redhat.com/show_bug.cgi?id=809401 https://bugzilla.redhat.com/show_bug.cgi?id=809401 https://bugzilla.redhat.com/show_bug.cgi?id=811112 https://bugzilla.redhat.com/show_bug.cgi?id=811112 https://bugzilla.redhat.com/show_bug.cgi?id=811117 https://bugzilla.redhat.com/show_bug.cgi?id=811117 https://bugzilla.redhat.com/show_bug.cgi?id=811673 https://bugzilla.redhat.com/show_bug.cgi?id=811673 https://bugzilla.redhat.com/show_bug.cgi?id=812092 https://bugzilla.redhat.com/show_bug.cgi?id=812092 https://bugzilla.redhat.com/show_bug.cgi?id=813329 https://bugzilla.redhat.com/show_bug.cgi?id=813329 Red Hat Enterprise Linux Desktop Optional (v. 6) Red Hat Enterprise Linux HPC Node Optional (v. 6) Red Hat Enterprise Linux Workstation Optional (v. 6) Red Hat Enterprise Linux Workstation (v. 6) Red Hat Enterprise Linux HPC Node (v. 6) Red Hat Enterprise Linux Server Optional (v. 6) Red Hat Enterprise Linux Desktop (v. 6) Red Hat Enterprise Linux Server (v. 6) libguestfs-1.16.19-1.el6.src.rpm libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Workstation (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux HPC Node (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Server Optional (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Desktop (v. 6) libguestfs-1.16.19-1.el6 as a component of Red Hat Enterprise Linux Server (v. 6) It was found that editing files with virt-edit left said files in a world-readable state (and did not preserve the file owner or Security-Enhanced Linux context). If an administrator on the host used virt-edit to edit a file inside a guest, the file would be left with world-readable permissions. This could lead to unprivileged guest users accessing files they would otherwise be unable to. 2012-06-11T00:00:00Z 2012-02-08T00:00:00Z CVE-2012-2690 6Client-optional:libguestfs-1.16.19-1.el6 6Client:libguestfs-1.16.19-1.el6 6ComputeNode-optional:libguestfs-1.16.19-1.el6 6ComputeNode:libguestfs-1.16.19-1.el6 6Server-optional:libguestfs-1.16.19-1.el6 6Server:libguestfs-1.16.19-1.el6 6Workstation-optional:libguestfs-1.16.19-1.el6 6Workstation:libguestfs-1.16.19-1.el6 Low 4.0 AV:L/AC:H/Au:N/C:C/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0774.html https://www.redhat.com/security/data/cve/CVE-2012-2690.html CVE-2012-2690 https://bugzilla.redhat.com/show_bug.cgi?id=831117 bz#831117: CVE-2012-2690 libguestfs: virt-edit creates a new file, when it is used leading to loss of file attributes (permissions, owner, SELinux context etc.)