CVE-2015-5313 in Ubuntu

CVE-2015-5313

Priority

Description

Directory traversal vulnerability in the
virStorageBackendFileSystemVolCreate function in
storage/storage_backend_fs.c in libvirt, when fine-grained Access Control
Lists (ACL) are in effect, allows local users with storage_vol:create ACL
but not domain:write permission to write to arbitrary files via a .. (dot
dot) in a volume name.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5313
http://security.libvirt.org/2015/0004.html
https://usn.ubuntu.com/usn/usn-2867-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808273

Assigned-to

mdeslaur

Notes

Package

Source: libvirt (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):	released (1.2.2-0ubuntu13.1.16)
Ubuntu 16.04 LTS (Xenial Xerus):	released (1.2.21-2ubuntu5)

Patches:

Upstream:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2019-12-05 18:42:22 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)