[Libguestfs] FYI: CVE-2012-2690: virt-edit / guestfish edit didn't preserve permissions on edited files.

Richard W.M. Jones rjones at redhat.com
Thu Jun 14 11:25:25 UTC 2012


Old versions of both virt-edit and the guestfish "edit" command
created a new file containing the changes but did not set the
permissions, etc of the new file to match the old one.  The result of
this was that if you edited a security sensitive file such as
"/etc/shadow" then it would be left world-readable after the edit.

This issue was assigned CVE-2012-2690, and is fixed in
libguestfs >= 1.16.

For further information, see

https://bugzilla.redhat.com/show_bug.cgi?id=788642

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v




More information about the Libguestfs mailing list