RHEL 6 : virt-v2v (RHSA-2011:1615)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated virt-v2v package that fixes one security issue and several
bugs is now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

virt-v2v is a tool for converting and importing virtual machines to
libvirt-managed KVM (Kernel-based Virtual Machine), or Red Hat
Enterprise Virtualization.

Using virt-v2v to convert a guest that has a password-protected VNC
console to a KVM guest removed that password protection from the
converted guest: after conversion, a password was not required to
access the converted guest's VNC console. Now, converted guests will
require the same VNC console password as the original guest. Note that
when converting a guest to run on Red Hat Enterprise Virtualization,
virt-v2v will display a warning that VNC passwords are not supported.
(CVE-2011-1773)

Note: The Red Hat Enterprise Linux 6.2 perl-Sys-Virt update must also
be installed to correct CVE-2011-1773.

Bug fixes :

* When converting a guest virtual machine (VM), whose name contained
certain characters, virt-v2v would create a converted guest with a
corrupted name. Now, virt-v2v will not corrupt guest names.
(BZ#665883)

* There were numerous usability issues when running virt-v2v as a
non-root user. This update makes it simpler to run virt-v2v as a
non-root user. (BZ#671094)

* virt-v2v failed to convert a Microsoft Windows guest with Windows
Recovery Console installed in a separate partition. Now, virt-v2v will
successfully convert a guest with Windows Recovery Console installed
in a separate partition by ignoring that partition. (BZ#673066)

* virt-v2v failed to convert a Red Hat Enterprise Linux guest which
did not have the symlink '/boot/grub/menu.lst'. With this update,
virt-v2v can select a grub configuration file from several places.
(BZ#694364)

* This update removes information about the usage of deprecated
command line options in the virt-v2v man page. (BZ#694370)

* virt-v2v would fail to correctly change the allocation policy,
(sparse or preallocated) when converting a guest with QCOW2 image
format. The error message 'Cannot import VM, The selected disk
configuration is not supported' was displayed. With this update,
allocation policy changes to a guest with QCOW2 storage will work
correctly. (BZ#696089)

* The options '--network' and '--bridge' can not be used in
conjunction when converting a guest, but no error message was
displayed. With this update, virt-v2v will now display an error
message if the mutually exclusive '--network' and '--bridge' command
line options are both specified. (BZ#700759)

* virt-v2v failed to convert a multi-boot guest, and did not clean up
temporary storage and mount points after failure. With this update,
virt-v2v will prompt for which operating system to convert from a
multi-boot guest, and will correctly clean up if the process fails.
(BZ#702007)

* virt-v2v failed to correctly configure modprobe aliases when
converting a VMware ESX guest with VMware Tools installed. With this
update, modprobe aliases will be correctly configured. (BZ#707261)

* When converting a guest with preallocated raw storage using the
libvirtxml input method, virt-v2v failed with the erroneous error
message 'size(X) < usage(Y)'. This update removes this erroneous
error. (BZ#727489)

* When converting a Red Hat Enterprise Linux guest, virt-v2v did not
check that the Cirrus X driver was available before configuring it.
With this update, virt-v2v will attempt to install the Cirrus X driver
if it is required. (BZ#708961)

* VirtIO systems do not support the Windows Recovery Console on 32-bit
Windows XP. The virt-v2v man page has been updated to note this. On
Windows XP Professional x64 Edition, however, if Windows Recovery
Console is re-installed after conversion, it will work as expected.
(BZ#732421)

* Placing comments in the guest fstab file by means of the leading '#'
symbol caused an 'unknown filesystem' error after conversion of a
guest. With this update comments can now be used and error messages
will not be displayed. (BZ#677870)

Users of virt-v2v should upgrade to this updated package, which fixes
these issues and upgrades virt-v2v to version 0.8.3.

See also :

https://www.redhat.com/security/data/cve/CVE-2011-1773.html
http://rhn.redhat.com/errata/RHSA-2011-1615.html

Solution :

Update the affected virt-v2v package.

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 64008 ()

Bugtraq ID: 50934

CVE ID: CVE-2011-1773