This issue has been assigned CVE-2013-4419.
https://bugzilla.redhat.com/show_bug.cgi?id=1016960
(Note this bug is private, but will be made public shortly)
----------------------------------------------------------------------
When using the guestfish --remote or guestfish --listen options,
guestfish would create a socket in a known location
(/tmp/.guestfish-$UID/socket-$PID).
The location has to be a known one in order for both ends to
communicate. However no checking was done that the containing
directory (/tmp/.guestfish-$UID) is owned by the user. Thus another
user could create this directory and potentially modify sockets owned
by another user's guestfish client or server.
Thanks: Michael Scherer for discovering this issue.
----------------------------------------------------------------------
You can remediate this issue in one of three ways:
(1) Apply the attached patch to libguestfs and rebuild from source.
(2) Run the following command on your system before using the
guestfish --listen option. Pay attention to any errors from mkdir,
which might indicate that the directory has been hijacked.
rm -rf /tmp/.guestfish-`id -u`
mkdir -m 0700 /tmp/.guestfish-`id -u`
(3) Wait for new packages to become available shortly. This afternoon
I will build packages for Fedora, which will be available through
updates-testing. Packages will be available for RHEL 6 shortly
through RHEL channels. Debian and SuSE maintainers were made aware of
this issue and will provide packages.
----------------------------------------------------------------------
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org