Bug 22777

Summary: libvirt new security issue CVE-2018-1064
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bequimao.de, herman.viaene, marja11, mhrambo3501, sysadmin-bugs, thierry.vignaud
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libvirt-3.10.0-1.1.mga6.src.rpm CVE:
Status comment: Patch available from Debian and upstream

Description David Walser 2018-03-15 15:09:45 CET 
Debian has issued an advisory on March 14:
https://www.debian.org/security/2018/dsa-4137

The issue is related to CVE-2018-5748 and was fixed upstream in this commit:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=fbf31e1a4cd19d6f6e33e0937a009775cd7d9513

Mageia 6 is also affected.
David Walser 2018-03-15 15:10:14 CET

Status comment: (none) => Patch available from Debian and upstream
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-15 18:26:12 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-03-21 21:13:05 CET 
Patched packages uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libvirt package fixes security vulnerability:

It was discovered that libvirt had a potential denial of service reading from QEMU guest agent (CVE-2018-1064).

References:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=fbf31e1a4cd19d6f6e33e0937a009775cd7d9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1064
https://www.debian.org/security/2018/dsa-4137
========================

Updated packages in core/updates_testing:
========================
lib64virt0-3.10.0-1.2.mga6
lib64virt-devel-3.10.0-1.2.mga6
libvirt-docs-3.10.0-1.2.mga6
libvirt-utils-3.10.0-1.2.mga6
wireshark-libvirt-3.10.0-1.2.mga6

from libvirt-3.10.0-1.2.mga6.src.rpm

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

CC: (none) => mrambo
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Keywords: (none) => has_procedure

Mike Rambo 2018-03-21 21:14:17 CET

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-03-22 17:11:44 CET 
MGA6-32 on Dell Latitude D600 Mate
Installed virt-manager in addition for test purposes.
Starting libvirtd service is OK
Starting virt-manager at CLI just returns to prompt, nothing happens. journalctl shows error:0 in libglib-2.0.so.0.5400.3. Googling did not make me much wiser.

CC: (none) => herman.viaene

Comment 4 Ulrich Beckmann 2018-03-24 07:58:31 CET 
(In reply to Herman Viaene from comment #3)
> MGA6-32 on Dell Latitude D600 Mate
> Installed virt-manager in addition for test purposes.
> Starting libvirtd service is OK
> Starting virt-manager at CLI just returns to prompt, nothing happens.
> journalctl shows error:0 in libglib-2.0.so.0.5400.3. Googling did not make
> me much wiser.

Try qemu-kvm and virt-manager on new 64-bit hardware. Does Virtual Box work on this machine?

CC: (none) => bequimao.de

Comment 5 Ulrich Beckmann 2018-03-24 08:52:24 CET 
Same state as in https://bugs.mageia.org/show_bug.cgi?id=22280#c12

I would mark it as mga-64-ok.

Ulrich
Comment 6 Ulrich Beckmann 2018-03-24 11:29:09 CET 
(In reply to Ulrich Beckmann from comment #5)
> Same state as in https://bugs.mageia.org/show_bug.cgi?id=22280#c12
> 
> I would mark it as mga-64-ok.
> 
> Ulrich

Installed versions are
ipxe-roms-qemu-20150821-6.mga6
lib64glib2.0_0-2.54.3-1.mga6
lib64virt0-3.10.0-1.2.mga6
lib64virt-glib1.0_0-0.2.3-2.mga6
lib64virt-glib-gir1.0-0.2.3-2.mga6
libvirt-utils-3.10.0-1.2.mga6
python-libvirt-3.10.0-1.mga6
qemu-block-curl-2.8.1.1-7.mga6
qemu-block-dmg-2.8.1.1-7.mga6
qemu-block-iscsi-2.8.1.1-7.mga6
qemu-block-nfs-2.8.1.1-7.mga6
qemu-block-ssh-2.8.1.1-7.mga6
qemu-common-2.8.1.1-7.mga6
qemu-img-2.8.1.1-7.mga6
qemu-kvm-2.8.1.1-7.mga6
qemu-system-x86-2.8.1.1-7.mga6
virt-manager-1.4.1-1.mga6
virt-manager-common-1.4.1-1.mga6
Comment 7 Herman Viaene 2018-03-24 11:30:19 CET 
@ Ulrich
No, I never install anything Vbox on this machine because
1. I think there was an agreement to drop testing of Vbox on 32-bit platforms.
2. I have too much restrictions of available RAM and disk space on this old machine to ever try Vbox on it.
You might tell me that in that case I better drop this test as well ????
Comment 8 Ulrich Beckmann 2018-03-24 11:52:55 CET 
@ Herman
Does it work on a clean non-testing Mga6?
You might have spotted an unseen dependency to https://bugs.mageia.org/show_bug.cgi?id=22661

Virtualisation on an old machine is no fun, if it works at all.
https://www.linux-kvm.org/page/Processor_support

Ulrich
Comment 9 Ulrich Beckmann 2018-03-28 16:30:36 CEST 
no further regression on 64-bit.

Whiteboard: (none) => MGA6-64-OK

Comment 10 claire robinson 2018-03-29 18:28:04 CEST 
Validating on Ulrich's tests.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 claire robinson 2018-03-29 18:31:07 CEST 
Advisoried.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2018-03-29 23:01:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0186.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED