Security Advisory Moderate: libguestfs security, bug fix, and enhancement update

Advisory: RHSA-2013:1536-2
Type: Security Advisory
Severity: Moderate
Issued on: 2013-11-21
Last updated on: 2013-11-21
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-4419

Details

Updated libguestfs packages that fix one security issue, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Libguestfs is a library and set of tools for accessing and modifying guest
disk images.

It was found that guestfish, which enables shell scripting and command line
access to libguestfs, insecurely created the temporary directory used to
store the network socket when started in server mode. A local attacker
could use this flaw to intercept and modify other user's guestfish command,
allowing them to perform arbitrary guestfish actions with the privileges of
a different user, or use this flaw to obtain authentication credentials.
(CVE-2013-4419)

This issue was discovered by Michael Scherer of the Red Hat Regional IT
team.

These updated libguestfs packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical
Notes, linked to in the References, for information on the most significant
of these changes.

All libguestfs users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add these
enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
libguestfs-1.20.11-2.el6.src.rpm
File outdated by:  RHBA-2015:1444
    MD5: cf27fda1a83942224369e614b3e8c9e6
SHA-256: badac2bfd17c3875604edea464e833b4a3ee8a7de6d4ab3c27b629bd42a94a29
 
x86_64:
libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: c364cdb7c77a369f6ca5d285e156f4a5
SHA-256: 5477f9c6cbf421936456d042b8e23becc227821c7ad3689fa4f92080915327ee
libguestfs-debuginfo-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 08237c32409055f83273024b0a18486a
SHA-256: 626b93823776f1a754490e44d8c4d79341156d387d0fb40e2c696e2747fd7b4e
libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: d346a4524362534fbcca782ef5f3b309
SHA-256: 9a1450624cd0bc4bce65e906f2ada5b04bf9517687a7e7d772ef32ad51c2a215
libguestfs-java-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0fefff53418d0ed515a9f1c306defc8f
SHA-256: d4b4dee0bc99d98d0bac81eb0d5cb55b73b4dccb2f3f9159c4a30dfa4b8f52a4
libguestfs-java-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 7f2372baf7d26e5dae6ac74a44f04c01
SHA-256: fb244a3dae08ee6123f167eac482af45207fd148f3c946f666acff314720fd43
libguestfs-javadoc-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 4c195c9425193d68e0e028149b30dfaf
SHA-256: 4573b3343937f1b673aa3a2ee76df2c22bd677dd56bed56ccb9e5c06401b9562
libguestfs-tools-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 5eef63fcf1fe0279ac3780a8476d276a
SHA-256: 46582831b46ff7270afc265ee6abefdf88d609b50b90acc76b90be7e0065cdff
libguestfs-tools-c-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 6b236e429b5ed721369a27fa4260e3ce
SHA-256: 883eae54f3242e7058c9dab8daabc90fee60b64beea31fb12cd2214d2ab7c967
ocaml-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0c5ed0904ce4db2641dcbbd6b440622e
SHA-256: 46a6dfc64aa20f62135065fe202e49006b3059f386a2f6f0dab1df4c1fc540ae
ocaml-libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: b9776d75fc9ce2fc1ac00a6f6e7a4a24
SHA-256: d4ead12e4a7b565e52016569b4fdaad26e1d5a4f46113d0857a02e1ca4fd8375
perl-Sys-Guestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 964490bba4195210fe3db60a0c3b91c7
SHA-256: ad39283400af65a3377d801796fd1c5ca5fc6e177483c96567d3bb5d681d19f5
python-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 41b3222c8bd2c85fbd3b14a2675a33c4
SHA-256: e4bf9606b41ff1e7a1aaf3bbe148f0c4b95fb5cda3bf7635624de8cfe5ca0e63
ruby-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 91f71272d1abb11182cc5e0e650b55a5
SHA-256: 29d97efccff2ec8b0455379e8e9b8493a8e340c008085308a5480eaab978867a
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
libguestfs-1.20.11-2.el6.src.rpm
File outdated by:  RHBA-2015:1444
    MD5: cf27fda1a83942224369e614b3e8c9e6
SHA-256: badac2bfd17c3875604edea464e833b4a3ee8a7de6d4ab3c27b629bd42a94a29
 
x86_64:
libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: c364cdb7c77a369f6ca5d285e156f4a5
SHA-256: 5477f9c6cbf421936456d042b8e23becc227821c7ad3689fa4f92080915327ee
libguestfs-debuginfo-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 08237c32409055f83273024b0a18486a
SHA-256: 626b93823776f1a754490e44d8c4d79341156d387d0fb40e2c696e2747fd7b4e
libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: d346a4524362534fbcca782ef5f3b309
SHA-256: 9a1450624cd0bc4bce65e906f2ada5b04bf9517687a7e7d772ef32ad51c2a215
libguestfs-java-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0fefff53418d0ed515a9f1c306defc8f
SHA-256: d4b4dee0bc99d98d0bac81eb0d5cb55b73b4dccb2f3f9159c4a30dfa4b8f52a4
libguestfs-java-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 7f2372baf7d26e5dae6ac74a44f04c01
SHA-256: fb244a3dae08ee6123f167eac482af45207fd148f3c946f666acff314720fd43
libguestfs-javadoc-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 4c195c9425193d68e0e028149b30dfaf
SHA-256: 4573b3343937f1b673aa3a2ee76df2c22bd677dd56bed56ccb9e5c06401b9562
libguestfs-tools-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 5eef63fcf1fe0279ac3780a8476d276a
SHA-256: 46582831b46ff7270afc265ee6abefdf88d609b50b90acc76b90be7e0065cdff
libguestfs-tools-c-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 6b236e429b5ed721369a27fa4260e3ce
SHA-256: 883eae54f3242e7058c9dab8daabc90fee60b64beea31fb12cd2214d2ab7c967
ocaml-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0c5ed0904ce4db2641dcbbd6b440622e
SHA-256: 46a6dfc64aa20f62135065fe202e49006b3059f386a2f6f0dab1df4c1fc540ae
ocaml-libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: b9776d75fc9ce2fc1ac00a6f6e7a4a24
SHA-256: d4ead12e4a7b565e52016569b4fdaad26e1d5a4f46113d0857a02e1ca4fd8375
perl-Sys-Guestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 964490bba4195210fe3db60a0c3b91c7
SHA-256: ad39283400af65a3377d801796fd1c5ca5fc6e177483c96567d3bb5d681d19f5
python-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 41b3222c8bd2c85fbd3b14a2675a33c4
SHA-256: e4bf9606b41ff1e7a1aaf3bbe148f0c4b95fb5cda3bf7635624de8cfe5ca0e63
ruby-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 91f71272d1abb11182cc5e0e650b55a5
SHA-256: 29d97efccff2ec8b0455379e8e9b8493a8e340c008085308a5480eaab978867a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
libguestfs-1.20.11-2.el6.src.rpm
File outdated by:  RHBA-2015:1444
    MD5: cf27fda1a83942224369e614b3e8c9e6
SHA-256: badac2bfd17c3875604edea464e833b4a3ee8a7de6d4ab3c27b629bd42a94a29
 
x86_64:
libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: c364cdb7c77a369f6ca5d285e156f4a5
SHA-256: 5477f9c6cbf421936456d042b8e23becc227821c7ad3689fa4f92080915327ee
libguestfs-debuginfo-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 08237c32409055f83273024b0a18486a
SHA-256: 626b93823776f1a754490e44d8c4d79341156d387d0fb40e2c696e2747fd7b4e
libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: d346a4524362534fbcca782ef5f3b309
SHA-256: 9a1450624cd0bc4bce65e906f2ada5b04bf9517687a7e7d772ef32ad51c2a215
libguestfs-java-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0fefff53418d0ed515a9f1c306defc8f
SHA-256: d4b4dee0bc99d98d0bac81eb0d5cb55b73b4dccb2f3f9159c4a30dfa4b8f52a4
libguestfs-java-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 7f2372baf7d26e5dae6ac74a44f04c01
SHA-256: fb244a3dae08ee6123f167eac482af45207fd148f3c946f666acff314720fd43
libguestfs-javadoc-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 4c195c9425193d68e0e028149b30dfaf
SHA-256: 4573b3343937f1b673aa3a2ee76df2c22bd677dd56bed56ccb9e5c06401b9562
libguestfs-tools-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 5eef63fcf1fe0279ac3780a8476d276a
SHA-256: 46582831b46ff7270afc265ee6abefdf88d609b50b90acc76b90be7e0065cdff
libguestfs-tools-c-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 6b236e429b5ed721369a27fa4260e3ce
SHA-256: 883eae54f3242e7058c9dab8daabc90fee60b64beea31fb12cd2214d2ab7c967
ocaml-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0c5ed0904ce4db2641dcbbd6b440622e
SHA-256: 46a6dfc64aa20f62135065fe202e49006b3059f386a2f6f0dab1df4c1fc540ae
ocaml-libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: b9776d75fc9ce2fc1ac00a6f6e7a4a24
SHA-256: d4ead12e4a7b565e52016569b4fdaad26e1d5a4f46113d0857a02e1ca4fd8375
perl-Sys-Guestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 964490bba4195210fe3db60a0c3b91c7
SHA-256: ad39283400af65a3377d801796fd1c5ca5fc6e177483c96567d3bb5d681d19f5
python-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 41b3222c8bd2c85fbd3b14a2675a33c4
SHA-256: e4bf9606b41ff1e7a1aaf3bbe148f0c4b95fb5cda3bf7635624de8cfe5ca0e63
ruby-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 91f71272d1abb11182cc5e0e650b55a5
SHA-256: 29d97efccff2ec8b0455379e8e9b8493a8e340c008085308a5480eaab978867a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
libguestfs-1.20.11-2.el6.src.rpm
File outdated by:  RHBA-2015:1444
    MD5: cf27fda1a83942224369e614b3e8c9e6
SHA-256: badac2bfd17c3875604edea464e833b4a3ee8a7de6d4ab3c27b629bd42a94a29
 
x86_64:
libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: c364cdb7c77a369f6ca5d285e156f4a5
SHA-256: 5477f9c6cbf421936456d042b8e23becc227821c7ad3689fa4f92080915327ee
libguestfs-debuginfo-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 08237c32409055f83273024b0a18486a
SHA-256: 626b93823776f1a754490e44d8c4d79341156d387d0fb40e2c696e2747fd7b4e
libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: d346a4524362534fbcca782ef5f3b309
SHA-256: 9a1450624cd0bc4bce65e906f2ada5b04bf9517687a7e7d772ef32ad51c2a215
libguestfs-java-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0fefff53418d0ed515a9f1c306defc8f
SHA-256: d4b4dee0bc99d98d0bac81eb0d5cb55b73b4dccb2f3f9159c4a30dfa4b8f52a4
libguestfs-java-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 7f2372baf7d26e5dae6ac74a44f04c01
SHA-256: fb244a3dae08ee6123f167eac482af45207fd148f3c946f666acff314720fd43
libguestfs-javadoc-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 4c195c9425193d68e0e028149b30dfaf
SHA-256: 4573b3343937f1b673aa3a2ee76df2c22bd677dd56bed56ccb9e5c06401b9562
libguestfs-tools-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 5eef63fcf1fe0279ac3780a8476d276a
SHA-256: 46582831b46ff7270afc265ee6abefdf88d609b50b90acc76b90be7e0065cdff
libguestfs-tools-c-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 6b236e429b5ed721369a27fa4260e3ce
SHA-256: 883eae54f3242e7058c9dab8daabc90fee60b64beea31fb12cd2214d2ab7c967
ocaml-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 0c5ed0904ce4db2641dcbbd6b440622e
SHA-256: 46a6dfc64aa20f62135065fe202e49006b3059f386a2f6f0dab1df4c1fc540ae
ocaml-libguestfs-devel-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: b9776d75fc9ce2fc1ac00a6f6e7a4a24
SHA-256: d4ead12e4a7b565e52016569b4fdaad26e1d5a4f46113d0857a02e1ca4fd8375
perl-Sys-Guestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 964490bba4195210fe3db60a0c3b91c7
SHA-256: ad39283400af65a3377d801796fd1c5ca5fc6e177483c96567d3bb5d681d19f5
python-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 41b3222c8bd2c85fbd3b14a2675a33c4
SHA-256: e4bf9606b41ff1e7a1aaf3bbe148f0c4b95fb5cda3bf7635624de8cfe5ca0e63
ruby-libguestfs-1.20.11-2.el6.x86_64.rpm
File outdated by:  RHBA-2015:1444
    MD5: 91f71272d1abb11182cc5e0e650b55a5
SHA-256: 29d97efccff2ec8b0455379e8e9b8493a8e340c008085308a5480eaab978867a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1000122 - 'sh' command before mount causes daemon to segfault
1016960 - CVE-2013-4419 libguestfs: insecure temporary directory handling for guestfish's network socket
892291 - guestmount: link() incorrectly returns ENOENT, when it should be EXDEV
892834 - guestmount: rename() incorrectly follows symbolic links
908255 - error message didn't translate to user language
909666 - Unexpected non-tail recursion in recv_from_daemon results in stack overflow in very long-running API calls that send progress messages
958183 - Rebase libguestfs in RHEL 6.5
971207 - guestfish aug-init command fails: libguestfs: error: aug_init: Augeas initialization failed
971326 - ntfsresize-opts execute failed when omitted the 'size' option
971664 - Need add some removed commands back into guestfish in RHEL 6.5
972413 - txz-out command produces a bzip2-compressed file (should be xz-compressed)
973425 - lsscsi is not available in 6client
975377 - inspect-get-hostname return unknown for linux guest in rhel6
975572 - virt-sysprep is in the wrong subpackage
975753 - "virt-resize --expand" and "virt-resize --resize" outputs error message for Win2008 32bit OS
975760 - Specifying virtio interface ('iface' parameter) breaks the appliance attach-method - libguestfs hangs
980358 - filesystem-available should return false for xfs in rhel6
980372 - "hivex-commit" should fail with a relative path
980502 - libguestfs is not able to be built with yum cache from multiple repos
983690 - libguestfs double free when kernel link fails during launch
985269 - Can't set acl value for a specified user with 'acl-set-file'
988863 - virt-sysprep --firstboot option writes incorrect "99" (instead of "S99") sysv-init-style start up script
989352 - cap-get-file will return error if the file has not be set capabilities
996039 - guestfish does not work due to conflict of remote and interactive mode
997884 - 9p support should be disabled in libguestfs in RHEL 6
998108 - Let's enable kvmclock in RHEL 6


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/