openSUSE-SU-2014:1471

60010

60895

62058

62303

GLSA-201412-04

http://security.libvirt.org/2014/0007.html

USN-2404-1

Updated libvirt packages fix security vulnerabilities :

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).

libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179).

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive (CVE-2014-3657).

Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823).

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors (CVE-2014-8136).

The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file (CVE-2015-0236).

This collective update for KVM and libvirt provides fixes for security and non-security issues.

kvm :

  - Fix NULL pointer dereference because of uninitialized     UDP socket. (bsc#897654, CVE-2014-3640)

  - Fix performance degradation after migration.
    (bsc#878350)

  - Fix potential image corruption due to missing     FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl.
    (bsc#908381)

  - Add validate hex properties for qdev. (bsc#852397)

  - Add boot option to do strict boot (bsc#900084)

  - Add query-command-line-options QMP command. (bsc#899144)

  - Fix incorrect return value of migrate_cancel.
    (bsc#843074)

  - Fix insufficient parameter validation during ram load.
    (bsc#905097, CVE-2014-7840)

  - Fix insufficient blit region checks in qemu/cirrus.
    (bsc#907805, CVE-2014-8106) libvirt :

  - Fix security hole with migratable flag in dumpxml.
    (bsc#904176, CVE-2014-7823)

  - Fix domain deadlock. (bsc#899484, CVE-2014-3657)

  - Use correct definition when looking up disk in qemu     blkiotune. (bsc#897783, CVE-2014-3633)

  - Fix undefined symbol when starting virtlockd.
    (bsc#910145)

  - Add '-boot strict' to qemu's commandline whenever     possible. (bsc#900084)

  - Add support for 'reboot-timeout' in qemu. (bsc#899144)

  - Increase QEMU's monitor timeout to 30sec. (bsc#911742)

  - Allow setting QEMU's migration max downtime any time.
    (bsc#879665)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

This update also fixes the following bugs :

  - In Scientific Linux 6, libvirt relies on the QEMU     emulator to supply the error message when an active     commit is attempted. However, with Scientific Linux 7,     QEMU added support for an active commit, but an     additional interaction from libvirt to fully enable     active commits is still missing. As a consequence,     attempts to perform an active commit caused libvirt to     become unresponsive. With this update, libvirt has been     fixed to detect an active commit by itself, and now     properly declares the feature as unsupported. As a     result, libvirt no longer hangs when an active commit is     attempted and instead produces an error message.

  - Prior to this update, the libvirt API did not properly     check whether a Discretionary Access Control (DAC)     security label is non-NULL before trying to parse     user/group ownership from it. In addition, the DAC     security label of a transient domain that had just     finished migrating to another host is in some cases     NULL. As a consequence, when the virDomainGetBlockInfo     API was called on such a domain, the libvirtd daemon     sometimes terminated unexpectedly. With this update,     libvirt properly checks DAC labels before trying to     parse them, and libvirtd thus no longer crashes in the     described scenario.

  - If a block copy operation was attempted while another     block copy was already in progress to an explicit raw     destination, libvirt previously stopped regarding the     destination as raw. As a consequence, if the qemu.conf     file was edited to allow file format probing, triggering     the bug could allow a malicious guest to bypass sVirt     protection by making libvirt regard the file as non-raw.
    With this update, libvirt has been fixed to consistently     remember when a block copy destination is raw, and     guests can no longer circumvent sVirt protection when     the host is configured to allow format probing.

After installing the updated packages, libvirtd will be restarted automatically.

Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

This issue was discovered by Eric Blake of Red Hat.

This update also fixes the following bugs :

* In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted.
However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message.

Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits.
(BZ#1150379)

* Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124)

* If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

From Red Hat Security Advisory 2015:0008 :

Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

This issue was discovered by Eric Blake of Red Hat.

This update also fixes the following bugs :

* In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted.
However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message.

Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits.
(BZ#1150379)

* Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124)

* If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

The remote host is affected by the vulnerability described in GLSA-201412-04 (libvirt: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libvirt. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service or cause       information leakage. A local attacker may be able to escalate privileges,       cause a Denial of Service or possibly execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

libvirt was updated to fix one security issue.

This security issue was fixed :

  - Security issue with migratable flag (CVE-2014-7823).

Updated libvirt packages fix security vulnerability :

Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823).

- Rebased to version 1.1.3.8

    - CVE-2014-3633: out-of-bounds read in blockiotune (bz       #1160823)

    - CVE-2014-3657: Potential deadlock in domain_conf (bz       #1160824)

    - CVE-2014-7823: information leak with migratable flag       (bz #1160822)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

From Red Hat Security Advisory 2014:1873 :

Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564)

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non- persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process.
(CVE-2014-3633)

A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657)

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823)

This update also fixes the following bug :

When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected.

After installing the updated packages, libvirtd will be restarted automatically.

Pavel Hrdina discovered that libvirt incorrectly handled locking when processing the virConnectListAllDomains command. An attacker could use this issue to cause libvirtd to hang, resulting in a denial of service. (CVE-2014-3657)

Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file. (CVE-2014-7823).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
82368	Mandriva Linux Security Advisory : libvirt (MDVSA-2015:115)	Nessus	Mandriva Local Security Checks	medium
81481	SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)	Nessus	SuSE Local Security Checks	high
81480	SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)	Nessus	SuSE Local Security Checks	high
80397	Scientific Linux Security Update : libvirt on SL7.x x86_64 (20150105)	Nessus	Scientific Linux Local Security Checks	medium
80388	RHEL 7 : libvirt (RHSA-2015:0008)	Nessus	Red Hat Local Security Checks	medium
80387	Oracle Linux 7 : libvirt (ELSA-2015-0008)	Nessus	Oracle Linux Local Security Checks	medium
80360	CentOS 7 : libvirt (CESA-2015:0008)	Nessus	CentOS Local Security Checks	medium
79814	GLSA-201412-04 : libvirt: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
79412	openSUSE Security Update : libvirt (openSUSE-SU-2014:1471-1)	Nessus	SuSE Local Security Checks	medium
79409	Mandriva Linux Security Advisory : libvirt (MDVSA-2014:222)	Nessus	Mandriva Local Security Checks	medium
79397	Fedora 20 : libvirt-1.1.3.8-1.fc20 (2014-15228)	Nessus	Fedora Local Security Checks	medium
79372	Oracle Linux 6 : libvirt (ELSA-2014-1873)	Nessus	Oracle Linux Local Security Checks	medium
79338	CentOS 6 : libvirt (CESA-2014:1873)	Nessus	CentOS Local Security Checks	medium
79331	Scientific Linux Security Update : libvirt on SL6.x i386/x86_64 (20141118)	Nessus	Scientific Linux Local Security Checks	medium
79329	RHEL 6 : libvirt (RHSA-2014:1873)	Nessus	Red Hat Local Security Checks	medium
79210	Ubuntu 14.04 LTS / 14.10 : libvirt vulnerabilities (USN-2404-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2014-7823

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins