Your message dated Tue, 26 Feb 2013 10:32:50 +0000
with message-id <[email protected]>
and subject line Bug#701649: fixed in libvirt 1.0.2-3
has caused the Debian Bug report #701649,
regarding libvirt-bin - libvirtd changes permissions of devices to
libvirt-qemu:kvm (CVE-2013-1766)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
701649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libvirt-bin
Version: 1.0.2-2
Severity: critical
Tags: security
libvirtd changes the permissions of lvm devices it assigns to guests to
libvirt-qemu:kvm. kvm is a general group and not restricted to libvirt.
The allows other users write access to this devices.
I'm right now unsure if the Wheezy version is affected.
| brw-rw---T 1 libvirt-qemu kvm 254, 11 Feb 25 17:08 /dev/dm-11
| brw-rw---T 1 libvirt-qemu kvm 254, 12 Feb 25 17:50 /dev/dm-12
Bastian
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libvirt
Source-Version: 1.0.2-3
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 26 Feb 2013 09:32:59 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev
python-libvirt libvirt-sanlock
Architecture: source all i386
Version: 1.0.2-3
Distribution: experimental
Urgency: low
Maintainer: Debian Libvirt Maintainers
<[email protected]>
Changed-By: Guido Günther <[email protected]>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - library for interfacing with different virtualization systems
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 701649
Changes:
libvirt (1.0.2-3) experimental; urgency=low
.
* [6270001] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
instances. This makes sure we don't chown files to groups possibly used
by other programs. (Closes: #701649)
Checksums-Sha1:
781c6c7d86350d8c6b77e8459a1c7c5adb05be45 2515 libvirt_1.0.2-3.dsc
3179d4005688af0434763e6d3dac246dea170bb5 39677 libvirt_1.0.2-3.debian.tar.gz
17e8373d67a9b5127915f6f61df41d22247125e6 2689284 libvirt-doc_1.0.2-3_all.deb
c733276a1b881554c8c032c8900616b231bb108f 4765166 libvirt-bin_1.0.2-3_i386.deb
521cfc1ff22937d78fa6d8f69b162f29a976844a 2534946 libvirt0_1.0.2-3_i386.deb
466fad04a338a7ae90d8dc7ab9be9768538b79e4 10598744 libvirt0-dbg_1.0.2-3_i386.deb
f3e81c922a37560b77a2265123a522918181affc 2915812 libvirt-dev_1.0.2-3_i386.deb
fb8d86b727bab208d5c7defa1a42d897738aac17 1905800
python-libvirt_1.0.2-3_i386.deb
db6ff09d48af0aee0f61aa34c14a6424d1318fed 1525492
libvirt-sanlock_1.0.2-3_i386.deb
Checksums-Sha256:
0c3b9741618c74dfae0b9fb584188e86dca1496c9e7badcd81f6471f823e1ed2 2515
libvirt_1.0.2-3.dsc
59de53c3fa635331d5607350a9e072c216b420b7e191ea70be012a321b87bbf0 39677
libvirt_1.0.2-3.debian.tar.gz
41e2ef9c1ecdf0551552cf1a32c07692758fa04c7a04bcfc012dd7277795d246 2689284
libvirt-doc_1.0.2-3_all.deb
9d564cf5cd4dec75094c554d97820adccda300a6cda8b50b1d399632712e13d4 4765166
libvirt-bin_1.0.2-3_i386.deb
2e6d42c5d50f44a325903903581747519acfcfb60eb208fd9032ad6dac900d2e 2534946
libvirt0_1.0.2-3_i386.deb
b9096f4b36d14d7b21aeb8a528dac48e77aa3fb86bc32acc3fd61a2013774882 10598744
libvirt0-dbg_1.0.2-3_i386.deb
194d334f266d985aa137d6b7ed67a80af2a124d5d44eed6407d1253526e2ed28 2915812
libvirt-dev_1.0.2-3_i386.deb
b675ee6feef0273aa6a9d2789257a0eaffb05a262c94ebce5dc71e66e29b2f9f 1905800
python-libvirt_1.0.2-3_i386.deb
9090e02c520ad87d639d7869494f191841c86d57e1a0f748d0d64ae2c946c290 1525492
libvirt-sanlock_1.0.2-3_i386.deb
Files:
809c42ff84193199f9679d792c8de1a7 2515 libs optional libvirt_1.0.2-3.dsc
056900fcc59a8e5be0827bd7fb41b858 39677 libs optional
libvirt_1.0.2-3.debian.tar.gz
93e3c06e638f547e44365df2b4d1afdb 2689284 doc optional
libvirt-doc_1.0.2-3_all.deb
7e982b4a3448ee4a08da824ce4c43021 4765166 admin optional
libvirt-bin_1.0.2-3_i386.deb
867079f1fde247f4b3150905835f2546 2534946 libs optional
libvirt0_1.0.2-3_i386.deb
bff770e7b272022a704c7c3f507e4de8 10598744 debug extra
libvirt0-dbg_1.0.2-3_i386.deb
db11eecb58467eab03c743379764d211 2915812 libdevel optional
libvirt-dev_1.0.2-3_i386.deb
dd769bd600a82782a6f91c09cc028eea 1905800 python optional
python-libvirt_1.0.2-3_i386.deb
34b64ec541afe7ffa5c4b3f775bcca05 1525492 libs extra
libvirt-sanlock_1.0.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRLHskn88szT8+ZCYRAshiAKCCDJKykvM37rFpHcrpKVQhTY5qRgCfTO7U
UJmwSM2V830o3d+tdfMBJsw=
=Do7x
-----END PGP SIGNATURE-----
--- End Message ---
