Bug 12920

Summary: libvirt new security issue CVE-2013-6456
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: joequant
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589092/
Whiteboard: MGA3TOO
Source RPM: libvirt-1.2.1-1.mga4.src.rpm CVE:
Status comment:
Bug Depends on: 13387    
Bug Blocks:    

Description David Walser 2014-03-03 02:23:03 CET 
Upstream has released libvirt 1.2.2, fixing one security issue:
http://libvirt.org/news.html

Debian says the vulnerable code was introduced in 1.0.1, so Mageia 3 should be vulnerable too.  The commits to fix this in the 1.0.5 branch may help:
http://libvirt.org/git/?p=libvirt.git;a=shortlog;h=refs/heads/v1.0.5-maint

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-03 02:23:12 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-03 19:03:23 CET 
Here's the upstream advisory:
http://security.libvirt.org/2013/0018.html

And the original bug report for this issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394

I'm not sure from reading that if systems using systemd are vulnerable.
Comment 2 David Walser 2014-03-03 19:07:45 CET 
Fedora has issued an advisory for this on February 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/129199.html

URL: (none) => http://lwn.net/Vulnerabilities/589092/

Comment 3 David Walser 2014-03-15 19:56:09 CET 
Updated to 1.2.2 in Cauldron by Joseph Wang.

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
CC: (none) => joequant
Version: Cauldron => 4

Thomas Backlund 2014-05-18 09:43:31 CEST

Depends on: (none) => 13387

Comment 4 David Walser 2014-05-29 12:30:34 CEST 
Fixed in Bug 13387.

Status: NEW => RESOLVED
Resolution: (none) => FIXED