[Libguestfs] FYI: CVE-2012-2690: virt-edit / guestfish edit didn't preserve permissions on edited files.
Richard W.M. Jones
rjones at redhat.com
Thu Jun 14 11:25:25 UTC 2012
Old versions of both virt-edit and the guestfish "edit" command
created a new file containing the changes but did not set the
permissions, etc of the new file to match the old one. The result of
this was that if you edited a security sensitive file such as
"/etc/shadow" then it would be left world-readable after the edit.
This issue was assigned CVE-2012-2690, and is fixed in
libguestfs >= 1.16.
For further information, see
https://bugzilla.redhat.com/show_bug.cgi?id=788642
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
More information about the Libguestfs
mailing list