http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b

openSUSE-SU-2014:1290

openSUSE-SU-2014:1293

RHSA-2014:1352

60291

60895

GLSA-201412-04

http://security.libvirt.org/2014/0004.html

DSA-3038

USN-2366-1

Updated libvirt packages fix security vulnerabilities :

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).

libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179).

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive (CVE-2014-3657).

Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823).

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors (CVE-2014-8136).

The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file (CVE-2015-0236).

This collective update for KVM and libvirt provides fixes for security and non-security issues.

kvm :

  - Fix NULL pointer dereference because of uninitialized     UDP socket. (bsc#897654, CVE-2014-3640)

  - Fix performance degradation after migration.
    (bsc#878350)

  - Fix potential image corruption due to missing     FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl.
    (bsc#908381)

  - Add validate hex properties for qdev. (bsc#852397)

  - Add boot option to do strict boot (bsc#900084)

  - Add query-command-line-options QMP command. (bsc#899144)

  - Fix incorrect return value of migrate_cancel.
    (bsc#843074)

  - Fix insufficient parameter validation during ram load.
    (bsc#905097, CVE-2014-7840)

  - Fix insufficient blit region checks in qemu/cirrus.
    (bsc#907805, CVE-2014-8106) libvirt :

  - Fix security hole with migratable flag in dumpxml.
    (bsc#904176, CVE-2014-7823)

  - Fix domain deadlock. (bsc#899484, CVE-2014-3657)

  - Use correct definition when looking up disk in qemu     blkiotune. (bsc#897783, CVE-2014-3633)

  - Fix undefined symbol when starting virtlockd.
    (bsc#910145)

  - Add '-boot strict' to qemu's commandline whenever     possible. (bsc#900084)

  - Add support for 'reboot-timeout' in qemu. (bsc#899144)

  - Increase QEMU's monitor timeout to 30sec. (bsc#911742)

  - Allow setting QEMU's migration max downtime any time.
    (bsc#879665)

The remote host is affected by the vulnerability described in GLSA-201412-04 (libvirt: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libvirt. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service or cause       information leakage. A local attacker may be able to escalate privileges,       cause a Denial of Service or possibly execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

- Rebased to version 1.1.3.8

    - CVE-2014-3633: out-of-bounds read in blockiotune (bz       #1160823)

    - CVE-2014-3657: Potential deadlock in domain_conf (bz       #1160824)

    - CVE-2014-7823: information leak with migratable flag       (bz #1160822)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

From Red Hat Security Advisory 2014:1873 :

Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non- persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected.

After installing the updated packages, libvirtd will be restarted automatically.

- CVE-2014-3657: Fix domain deadlock     fc22b2e7-CVE-2014-3657.patch bsc#899484

  - CVE-2014-3633: Use correct definition when looking up     disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch     bsc#897783

  - spec: libvirt-daemon package owns /etc/libvirt, not     libvirt-client bnc#878056

- CVE-2014-3657: Fix domain deadlock     fc22b2e7-CVE-2014-3657.patch bsc#899484

  - CVE-2014-3633: Use correct definition when looking up     disk in qemu blkiotune 3e745e8f-CVE-2014-3633.patch     bsc#897783

Multiple vulnerabilities has been discovered and corrected in libvirt :

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive (CVE-2014-3657).

The updated libvirt packages have been upgraded to the 1.1.3.6 version and patched to resolve these security flaws.

Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

* Prior to this update, libvirt was setting the cpuset.mems parameter for domains with numatune/memory[nodeset] prior to starting them. As a consequence, domains with such a nodeset, which excluded the NUMA node with DMA and DMA32 zones (found in /proc/zoneinfo), could not be started due to failed KVM initialization. With this update, libvirt sets the cpuset.mems parameter after the initialization, and domains with any nodeset (in /numatune/memory) can be started without an error. (BZ#1135871)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

From Red Hat Security Advisory 2014:1352 :

Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

* Prior to this update, libvirt was setting the cpuset.mems parameter for domains with numatune/memory[nodeset] prior to starting them. As a consequence, domains with such a nodeset, which excluded the NUMA node with DMA and DMA32 zones (found in /proc/zoneinfo), could not be started due to failed KVM initialization. With this update, libvirt sets the cpuset.mems parameter after the initialization, and domains with any nodeset (in /numatune/memory) can be started without an error. (BZ#1135871)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly handled XML documents containing XML external entity declarations. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service on all affected releases, or possibly read arbitrary files if fine grained access control was enabled on Ubuntu 14.04 LTS. (CVE-2014-0179, CVE-2014-5177)

Luyao Huang discovered that libvirt incorrectly handled certain blkiotune queries. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3633).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2014-0179     Richard Jones and Daniel P. Berrange found that libvirt     passes the XML_PARSE_NOENT flag when parsing XML     documents using the libxml2 library, in which case all     XML entities in the parsed documents are expanded. A     user able to force libvirtd to parse an XML document     with an entity pointing to a special file that blocks on     read access could use this flaw to cause libvirtd to     hang indefinitely, resulting in a denial of service on     the system.

  - CVE-2014-3633     Luyao Huang of Red Hat found that the qemu     implementation of virDomainGetBlockIoTune computed an     index into the array of disks for the live definition,     then used it as the index into the array of disks for     the persistent definition, which could result into an     out-of-bounds read access in qemuDomainGetBlockIoTune().

  A remote attacker able to establish a read-only connection to   libvirtd could use this flaw to crash libvirtd or, potentially, leak   memory from the libvirtd process.

ID	Name	Product	Family	Severity
82368	Mandriva Linux Security Advisory : libvirt (MDVSA-2015:115)	Nessus	Mandriva Local Security Checks	medium
81481	SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)	Nessus	SuSE Local Security Checks	high
81480	SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)	Nessus	SuSE Local Security Checks	high
79814	GLSA-201412-04 : libvirt: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
79397	Fedora 20 : libvirt-1.1.3.8-1.fc20 (2014-15228)	Nessus	Fedora Local Security Checks	medium
79372	Oracle Linux 6 : libvirt (ELSA-2014-1873)	Nessus	Oracle Linux Local Security Checks	medium
79338	CentOS 6 : libvirt (CESA-2014:1873)	Nessus	CentOS Local Security Checks	medium
79331	Scientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20141118)	Nessus	Scientific Linux Local Security Checks	medium
79329	RHEL 6 : libvirt (RHSA-2014:1873)	Nessus	Red Hat Local Security Checks	medium
78451	openSUSE Security Update : libvirt (openSUSE-SU-2014:1290-1)	Nessus	SuSE Local Security Checks	medium
78450	openSUSE Security Update : libvirt (openSUSE-SU-2014:1293-1)	Nessus	SuSE Local Security Checks	medium
78062	Mandriva Linux Security Advisory : libvirt (MDVSA-2014:195)	Nessus	Mandriva Local Security Checks	medium
78043	CentOS 7 : libvirt (CESA-2014:1352)	Nessus	CentOS Local Security Checks	medium
78023	RHEL 7 : libvirt (RHSA-2014:1352)	Nessus	Red Hat Local Security Checks	medium
78022	Oracle Linux 7 : libvirt (ELSA-2014-1352)	Nessus	Oracle Linux Local Security Checks	medium
78010	Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : libvirt vulnerabilities (USN-2366-1)	Nessus	Ubuntu Local Security Checks	medium
77921	Debian DSA-3038-1 : libvirt - security update	Nessus	Debian Local Security Checks	medium

CVE-2014-3633

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins