Bug 18873

Summary: libvirt new security issue CVE-2016-5008
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: jim, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/693176/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: libvirt-1.3.5-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-05 20:56:40 CEST 
Debian has issued an advisory on July 2:
https://www.debian.org/security/2016/dsa-3613

It was fixed upstream in 2.0.0.  Upstream's advisory links to fixes:
http://security.libvirt.org/2016/0001.html

Mageia 5 is also affected.
David Walser 2016-07-05 20:56:54 CEST

Assignee: bugsquad => thierry.vignaud
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-07 20:52:14 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Advisory:
========================

Updated libvirt packages fix security vulnerability:

Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC
password does not work as documented in Libvirt, a virtualisation abstraction
library. When the password on a VNC server is set to the empty string,
authentication on the VNC server will be disabled, allowing any user to connect,
despite the documentation declaring that setting an empty password for the VNC
server prevents all client connections. With this update the behaviour is
enforced by setting the password expiration to "now" (CVE-2016-5008).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008
http://security.libvirt.org/2016/0001.html
https://www.debian.org/security/2016/dsa-3613
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.2.9.3-1.4.mga5
libvirt-devel-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5

from libvirt-1.2.9.3-1.4.mga5.src.rpm

Version: Cauldron => 5
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 2 James Kerr 2016-07-08 08:36:13 CEST 
Testing on mga5-64

already installed:
qemu-2.4.1-5.mga5
qemu-img-2.4.1-5.mga5
virt-manager-1.1.0-7.mga5

installed from testing:
lib64virt0-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5

packages installed cleanly

launched libvirtd.service:
# systemctl start libvirtd.service

Used virt-manager to create a VM and launched install of mga5 using boot.iso

OK for mga5-64

CC: (none) => jim
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 James Kerr 2016-07-08 09:22:18 CEST 
Testing on mga5-32

already installed:
qemu-img-2.4.1-5.mga5
qemu-2.4.1-5.mga5
virt-manager-1.1.0-7.mga5

installed from testing:
libvirt0-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5
packages installed cleanly

launched libvirtd.service
# systemctl start libvirtd.service

Used virt-manager to create a VM and launched installation of mga5 using boot.iso

OK for mga5-32

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Comment 4 James Kerr 2016-07-08 09:25:29 CEST 
This is now validated
The Advisory needs to be uploaded to SVN
The packages can then be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:30:01 CEST

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 5 Mageia Robot 2016-07-08 21:51:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED