[Libguestfs] ANNOUNCE: CVE-2013-4419: insecure temporary directory handling for guestfish's network socket

This issue has been assigned CVE-2013-4419. https://bugzilla.redhat.com/show_bug.cgi?id=1016960 (Note this bug is private, but will be made public shortly) ---------------------------------------------------------------------- When using the guestfish --remote or guestfish --listen options, guestfish would create a socket in a known location (/tmp/.guestfish-$UID/socket-$PID). The location has to be a known one in order for both ends to communicate. However no checking was done that the containing directory (/tmp/.guestfish-$UID) is owned by the user. Thus another user could create this directory and potentially modify sockets owned by another user's guestfish client or server. Thanks: Michael Scherer for discovering this issue. ---------------------------------------------------------------------- You can remediate this issue in one of three ways: (1) Apply the attached patch to libguestfs and rebuild from source. (2) Run the following command on your system before using the guestfish --listen option. Pay attention to any errors from mkdir, which might indicate that the directory has been hijacked. rm -rf /tmp/.guestfish-`id -u` mkdir -m 0700 /tmp/.guestfish-`id -u` (3) Wait for new packages to become available shortly. This afternoon I will build packages for Fedora, which will be available through updates-testing. Packages will be available for RHEL 6 shortly through RHEL channels. Debian and SuSE maintainers were made aware of this issue and will provide packages. ---------------------------------------------------------------------- Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org