Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-1766

Published: 20 March 2013

libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to write to these files via unspecified vectors.

Notes

AuthorNote
jdstrand 
Debian bug reports states this is a problem because the kvm group
is a general-purpose group and therefore changing device group ownership
exposes these devices to other groups on the system. The kvm group on Ubuntu
has been used since Ubuntu 10.10. Debian's solution is to update the
packaging to add a new libvirt-qemu groupi, have the libvirt-qemu user be
in the libvirt-qemu group as a secondary group, then use as a configure
option: --with-qemu-group=libvirt-qemu. This is too intrusive for a stable
release for an arguably marginal security gain.

Priority

Low

Status

Package Release Status
libvirt
Launchpad, Ubuntu, Debian 		hardy Ignored
(end of life)
lucid Not vulnerable

oneiric Ignored

precise Ignored

quantal Ignored

upstream
Released (1.0.2-3)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading