Package: virt-manager Version: 1:1.0.1-2.1 Severity: critical Tags: security Justification: root security hole
Hi. Not sure whether the problem here is actually in virt-manager, libvirt or spice-client-glib-usb-acl-helper. So pleace redirect as necessary. I've just noted a very serious behaviour (which is also why I marked it as critical and root security hole): It seems that when plugging an USB device into ay computer where I run virtmanager and where I'm connected to some VMs via SPICE, that such USB devices are forwarded to that VM. o.O I wonder how it chooses to which the device is redirected if there are more VMs connected. Now SPICE seemst to be the default for newly created VMs via libvirt and the SPICE USB Redirector devices are created per default as well. Also this isn't like the "USB Host Device" hardware in virtmanager/libvirt/qemu, where one at least has to select *which* USB device is connected. Now since VM's are often used by people as kind of jails, e.g. running untrustworthy OSes or programs in it, or since the VM may be just on any remote server (from work or wherever), redirecting USB devices without asking is IMHO a great security hole. The USB device could contain just anything, my most recent hard disk backup (and thus root passwords, dmcrypt keys etc). or my private picture collection. The 2nd critical security aspect of this: A normal user(!) is apparently allowed to redirect a hardware device. Not sure whether this is the typical policykit problem that locally logged in users are handled as if they were root... but hell, one cannot simply give normal users full access to USB devices if root hasn't manually allowed them. Cheers, Chris -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages virt-manager depends on: ii dconf-gsettings-backend [gsettings-backend] 0.22.0-1 ii gconf2 3.2.6-3 ii gir1.2-gtk-3.0 3.14.1-1 ii gir1.2-gtk-vnc-2.0 0.5.3-1.2 ii gir1.2-libvirt-glib-1.0 0.1.7-2.1 ii gir1.2-spice-client-gtk-3.0 0.25-1 ii gir1.2-vte-2.90 1:0.36.3-1 ii librsvg2-common 2.40.4-1 ii python-dbus 1.2.0-2+b3 ii python-gi 3.14.0-1 ii python-gi-cairo 3.14.0-1 ii python-ipaddr 2.1.11-2 ii python-libvirt 1.2.8-1 ii python-urlgrabber 3.9.1-4 pn python2.7:any <none> pn python:any <none> ii virtinst 1:1.0.1-2.1 Versions of packages virt-manager recommends: ii gnome-icon-theme 3.12.0-1 ii libvirt-daemon 1.2.9-2 ii python-spice-client-gtk 0.25-1 Versions of packages virt-manager suggests: ii gnome-keyring 3.14.0-1 ii python-gnomekeyring 2.32.0+dfsg-3 pn python-guestfs <none> pn ssh-askpass <none> pn virt-viewer <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
