Bug 14887

Summary: libvirt new security issue CVE-2014-8136
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627716/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: libvirt-1.2.1-1.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-25 19:35:27 CET 
Gentoo has issued an advisory on December 24:
http://www.gentoo.org/security/en/glsa/glsa-201412-36.xml

I had previously added the fix for CVE-2014-8131 in Cauldron and have now uploaded a patched package fixing CVE-2014-8135 and CVE-2014-8136.

Only CVE-2014-8136 affects version 1.2.1 in Mageia 4.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libvirt packages fix security vulnerability:

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in
qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check
fails, which allow local users to cause a denial of service via unspecified
vectors (CVE-2014-8136).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136
http://www.gentoo.org/security/en/glsa/glsa-201412-36.xml
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.2.1-1.4.mga4
libvirt-devel-1.2.1-1.4.mga4
libvirt-utils-1.2.1-1.4.mga4

from libvirt-1.2.1-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-25 19:35:52 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2014-12-29 17:26:57 CET 
On MGA-64: I find lib64virt0-1.2.1-1.4.mga4 and lib64virt-devel-1.2.1-1.4.mga4 in the repository, but no lib64virt-utils-1.2.1-1.4.mga4.

CC: (none) => herman.viaene

Comment 3 claire robinson 2014-12-29 17:32:05 CET 
It's confusing with the lib name and the utils package. It will be named libvirt-utils even on a 64 bit system as it's not the library but just tools to work with the lib64virt library package.

Does that make sense? The library itself has the 64 added but related packages *-utils, *-tools etc won't be.
Comment 4 olivier charles 2014-12-29 21:33:53 CET 
Testing on Mageia4 x 32 real hardware, 

From current packages :
---------------------

libvirt0-1.2.1-1.3.mga4
libvirt-devel-1.2.1-1.3.mga4
libvirt-utils-1.2.1-1.3.mga4

# systemctl start libvirtd
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running)
   
Using virt-manager, connected to virtual-machine (Mageia4) previously set in 
former testing.

Updated to testing packages :
---------------------------

- libvirt-devel-1.2.1-1.4.mga4.i586
- libvirt-utils-1.2.1-1.4.mga4.i586
- libvirt0-1.2.1-1.4.mga4.i586

Rebooted
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running)

Using virt-manager, could connect to previous VM.
Deleted it.
Created a new virtual machine, proceded to a new Mageia4 installation, booted 
ok, made some changes, created a snapshot.

All OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 5 Herman Viaene 2014-12-29 23:21:52 CET 
MGA4-64 on HP Probook 6555b KDE
Installation OK. Virtula Manager runs, I can create a VM using the MGA5 Live iso, but this does not run (no bootable device). I will try classical iso.
Comment 6 Herman Viaene 2014-12-30 11:36:03 CET 
MGA4-64 on HP Probook 6555b KDE
I could install classical KDE 32 bit. Running it only works in safe mode, in normal mode it seems to choke somwhere at the graphical device.
Also tried to make a VM boot from an MGA5 Live iso file. It boots, shows the first option screen (boot, install etc.), but then the display corrupts and nothing seems to happen anymore.
For me, installation of libvrt is OK, the product .....

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 7 claire robinson 2015-01-03 18:35:22 CET 
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-01-05 17:31:03 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0002.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED