Mandriva Linux Security Advisory : libvirt (MDVSA-2014:097)
Medium Nessus Plugin ID 74075
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities has been discovered and corrected in libvirt :
The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).
libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179).
The updated packages have been upgraded to the 22.214.171.124 version and patched to correct these issues.
SolutionUpdate the affected packages.