Bug 15863

Summary: netcf new security issue CVE-2014-8119
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fundawang, mageia, shlomif, sysadmin-bugs, tarazed25, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643922/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: netcf-0.2.2-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-06 17:10:35 CEST 
An update was submitted to Fedora QA on April 8:
https://admin.fedoraproject.org/updates/FEDORA-2015-5872/netcf-0.2.8-1.fc21?_csrf_token=e0a6c6bce78f6f99684f5382f1607a16ee0fa104

The issue was fixed in 0.2.7; Fedora is updating it to 0.2.8 to fix the issue.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-06 17:10:51 CEST

CC: (none) => fundawang, tmb
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Nicolas Lécureuil 2015-05-10 23:56:40 CEST 
pushd in cauldron svn

CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2015-05-10 23:59:01 CEST 
available in mga4 core/updates_testing
Comment 3 David Walser 2015-05-11 14:38:40 CEST 
Updated packages uploaded for Mageia 4 and Cauldron.  Thanks Nicolas!

Advisory:
========================

Updated netcf packages fix security vulnerability:

A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash.

The netcf package has been updated to version 0.2.8, fixing this issue and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8119
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157713.html
========================

Updated packages in core/updates_testing:
========================
netcf-0.2.8-1.mga4
libnetcf1-0.2.8-1.mga4
libnetcf-devel-0.2.8-1.mga4

from netcf-0.2.8-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-05-11 15:05:58 CEST 
Please use the libvirt testing procedure to test this (unless you can find a PoC).

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2015-05-11 15:38:30 CEST 
Testing complete mga4 32

Ensured an installation could be started in virt-manager.

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 6 Shlomi Fish 2015-05-11 16:45:07 CEST 
(In reply to claire robinson from comment #5)
> Testing complete mga4 32
> 
> Ensured an installation could be started in virt-manager.

urpmq --whatrequires lib64netcf1 only says libvirt-utils require that and I cannot see a link to it from its /usr/bin/* programs using ldd.

CC: (none) => shlomif

Comment 7 claire robinson 2015-05-11 16:53:41 CEST 
virt-manager requires libvirt-utils, it attempted to install it when run actually, maybe a missing require in virt-manager.

Either way it updates without error.
Comment 8 claire robinson 2015-05-11 17:50:02 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok

Comment 9 Len Lawrence 2015-05-11 19:22:43 CEST 
Testing this for x86_64.
Had to install virt-manager and lib64virt-utils for the test.

Before the update virt-manager displayed the management window then froze - I think it was looking for a python package.

After the update it raised an error:

Error talking to PackageKit: The connection is closed

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/packageutils.py", line 54, in check_packagekit
    packagekit_install(parent, packages)
  File "/usr/share/virt-manager/virtManager/packageutils.py", line 66, in packagekit_install
    bus = Gio.bus_get_sync(Gio.BusType.SESSION, None)
GError: The connection is closed

The application reported:
Could not detect a default hypervisor and something about virtualization packages "kvm, qemu, libvirt, etc."  And it said a hypervisor connection can be manually added.  I need to look that up.

CC: (none) => tarazed25

David Walser 2015-05-11 20:33:53 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643922/

Comment 10 Len Lawrence 2015-05-11 21:54:16 CEST 
Well I really don't know what I am doing here.  Clicked on localhost (QEMU) then file then Restore Saved Machine and then navigated to my VMs and selected one of them - shaula - then clicked on shaula.dvi or shaula.vbox and raised this error:

Error restoring domain: operation failed: image magic is incorrect

Can I assume that this is the bug manifesting itself and continue on to the update?
Comment 11 claire robinson 2015-05-12 16:02:39 CEST 
I'm not sure the process for importing vbox images Len. You can click to create a new machine though and give it an iso to use in the same way you would vbox. It creates machines in the / partition by default so use caution when sizing the disk and you might want to delete it when you've finished testing.

Tested mga4 64 here anyway.

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-05-12 21:38:32 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0215.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED