Bug 15141

Summary:	libvirt new security issue CVE-2015-0236
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	olchal, sysadmin-bugs, wilcal.int
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/631504/
Whiteboard:	has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM:	libvirt-1.2.1-1.4.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2015-01-27 14:13:34 CET

Upstream has issued an advisory on January 22:
http://security.libvirt.org/2015/0001.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated libvirt packages fix security vulnerability:

The XML getters for for save images and snapshots objects don't check ACLs for
the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive
information. A remote attacker able to establish a connection to libvirtd
could use this flaw to cause leak certain limited information from the domain
xml file (CVE-2015-0236).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0236
https://bugzilla.redhat.com/show_bug.cgi?id=1184431
http://security.libvirt.org/2015/0001.html
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.2.1-1.5.mga4
libvirt-devel-1.2.1-1.5.mga4
libvirt-utils-1.2.1-1.5.mga4

from libvirt-1.2.1-1.5.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-01-27 14:13:48 CET

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Whiteboard: (none) => has_procedure

Comment 2 olivier charles 2015-01-27 16:32:38 CET

Testing on Mageia4x32, real hardware

From current packages :
---------------------
libvirt0-1.2.1-1.4.mga4
libvirt-utils-1.2.1-1.4.mga4

# systemctl start libvirtd
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; disabled)
   Active: active (running) since mar. 2015-01-27 16:21:19 CET; 6s ago

Using virt-manager, launched pre-existing virtual-machine (mageia4).

# systemctl stop libvirtd

To updated testing packages :
---------------------------
libvirt0-1.2.1-1.5.mga4
libvirt-utils-1.2.1-1.5.mga4

# systemctl start libvirtd
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since mar. 2015-01-27 16:26:26 CET; 1min 7s ago

Using virt-manager, launched same virtual-machine, took snapshots, deleted one, reverted to previous snapshot,
All OK

Whiteboard: has_procedure => has_procedure MGA4-32-OK
CC: (none) => olchal

Comment 3 William Kenney 2015-01-27 17:54:25 CET

Help me understand this package olivier. What package are you installing?

[root@localhost wilcal]# urpmi libvert
No package named libvert
[root@localhost wilcal]# urpmi libvert0
No package named libvert0

Going through the MCC -> Software Mangement and searching on "libvert"
there are lots of packages libvert* but none of them libvert or libvert0
Thanks

CC: (none) => wilcal.int

Comment 4 David Walser 2015-01-27 17:58:34 CET

First you need to spell it correctly.  The other common source of confusion is that libvirt is not a library, but libvirt0 is, so on x86_64, only the libvirt0 has a lib64 at the beginning of its name, not libvirt (or libvirt-utils).

Comment 5 William Kenney 2015-01-27 18:54:27 CET

(In reply to olivier charles from comment #2)

> Using virt-manager, launched same virtual-machine, took snapshots, deleted
> one, reverted to previous snapshot

default install of libvirt0 libvirt-utils

[root@localhost wilcal]# urpmi libvirt0
Package libvirt0-1.2.1-1.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libvirt-utils
Package libvirt-utils-1.2.1-1.4.mga4.x86_64 is already installed

[root@localhost wilcal]# systemctl start libvirtd
[root@localhost wilcal]# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Tue 2015-01-27 09:48:59 PST; 12s ago

[root@localhost wilcal]# virt-manager
bash: virt-manager: command not found

And how do I launch the "virt-manager". It's not in the launch menu.

Comment 6 olivier charles 2015-01-27 18:59:01 CET

(In reply to William Kenney from comment #5)

> And how do I launch the "virt-manager". It's not in the launch menu.

It's a separate package :
# urpmi virt-manager
should do it.

Comment 7 olivier charles 2015-01-27 19:03:13 CET

In addition, you will have to install qemu if you don't have it already on your system.

Comment 8 William Kenney 2015-01-27 21:32:48 CET

(In reply to olivier charles from comment #7)

> In addition, you will have to install qemu if you don't have it already on
> your system.

[root@localhost wilcal]# urpmi gemu
No package named gemu

MCC -> Software Manager
Search finds no package named "gemu"

A serch of the entire M4 repo resulted in no package named "gemu" found.

Comment 9 David Walser 2015-01-27 21:40:54 CET

William, please read more carefully.

Comment 10 William Kenney 2015-01-27 22:33:56 CET

(In reply to David Walser from comment #9)
> William, please read more carefully.

Ok, better put install virt-manager which when launched will then ask for
additional Software to be installed:

gemu & libvirt-utils

Allow the install and the following is displayed

Error talking to PackageKit:
GDBus.Error:org.freedesktop.PackageKit.Modify.internalError: failed to
resolve: The backend exited unexpectedly. This is a serious error as the
spawned backend did not complete the pending transaction.

Comment 11 David Walser 2015-01-27 22:37:27 CET

It's qemu, and install it through your normal means of installing packages.  PackageKit is broken.

Comment 12 William Kenney 2015-01-27 22:37:52 CET

Ok, I wonder. I'm do'n this in a Vbox client which cannot support
a Vbox host. So gemu is another Virtual Manager. I bet olivier is
running on real hardware. I'm not so sure I can run a VM inside
a VM client.

Comment 13 William Kenney 2015-01-27 22:40:20 CET

http://en.wikipedia.org/wiki/QEMU

Comment 14 claire robinson 2015-01-28 16:39:53 CET

Testing complete mga4 64

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 15 claire robinson 2015-01-28 18:38:59 CET

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok

Comment 16 Mageia Robot 2015-01-31 14:24:26 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0046.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2015-02-03 17:55:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/631504/