Bug 27038

Summary: libvirt new security issue CVE-2020-15708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libvirt-6.5.0-1.mga8.src.rpm CVE:
Status comment: Patch available from openSUSE

Description David Walser 2020-08-05 00:25:35 CEST 
Ubuntu has issued an advisory today (August 4):
https://ubuntu.com/security/notices/USN-4452-1

Their fix is to src/remote/libvirtd.socket.in, changing SocketMode=0666 to:
SocketMode=0660
SocketUser=root
SocketGroup=libvirt
Comment 1 David Walser 2020-10-29 17:25:38 CET 
SUSE has issued an advisory for this on October 26:
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007626.html
Comment 2 David Walser 2020-10-31 14:18:27 CET 
openSUSE has issued an advisory for this today (October 31):
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00073.html
Comment 3 David Walser 2020-12-27 19:45:20 CET 
SUSE noted that 0666 is the correct mode if polkit auth is enabled, which it is by default in SUSE and Mageia.

SUSE added a patch to the config (where the auth mode can be changed) to note that if the auth mode is changed, the libvirtd.socket file needs to be changed:
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libvirt/b196f8fc-CVE-2020-15708-doc.patch?expand=1

We should do the same.

Status comment: (none) => Patch available from openSUSE

Comment 4 Nicolas Lécureuil 2021-01-02 02:25:52 CET 
added in our cauldron package

Resolution: (none) => FIXED
CC: (none) => mageia
Status: NEW => RESOLVED