CVE-2013-1766

2013-03-2000:00:00

ubuntu.com

3.6 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

5.1%

JSON

libvirt 1.0.2 and earlier sets the group owner to kvm for device files,
which allows local users to write to these files via unspecified vectors.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649>

Notes

Author	Note
jdstrand	Debian bug reports states this is a problem because the kvm group is a general-purpose group and therefore changing device group ownership exposes these devices to other groups on the system. The kvm group on Ubuntu has been used since Ubuntu 10.10. Debian’s solution is to update the packaging to add a new libvirt-qemu groupi, have the libvirt-qemu user be in the libvirt-qemu group as a secondary group, then use as a configure option: --with-qemu-group=libvirt-qemu. This is too intrusive for a stable release for an arguably marginal security gain.

Author

Note

jdstrand

Debian bug reports states this is a problem because the kvm group is a general-purpose group and therefore changing device group ownership exposes these devices to other groups on the system. The kvm group on Ubuntu has been used since Ubuntu 10.10. Debian’s solution is to update the packaging to add a new libvirt-qemu groupi, have the libvirt-qemu user be in the libvirt-qemu group as a secondary group, then use as a configure option: --with-qemu-group=libvirt-qemu. This is too intrusive for a stable release for an arguably marginal security gain.