Bug 27388

Summary: libvirt new security issue CVE-2020-25637
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs, thierry.vignaud
Version: 7Keywords: Triaged, advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libvirt-5.5.0-1.2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-11 18:16:16 CEST 
A security issue fixed upstream in libvirt 6.8.0 has been announced on October 2:
https://www.openwall.com/lists/oss-security/2020/10/02/1

The commits that fixed the issue are linked in the message above.
Comment 1 Aurelien Oudelet 2020-10-12 18:25:52 CEST 
Hi, thanks for reporting this bug.
Assigning globally as no registered maintainer. CC'd recent commiter.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => pkg-bugs
Keywords: (none) => Triaged
CC: (none) => thierry.vignaud

Comment 2 David Walser 2020-10-13 18:04:38 CEST 
Debian-LTS has issued an advisory for this on October 2:
https://www.debian.org/lts/security/2020/dla-2395
Comment 3 David Walser 2020-10-29 17:25:42 CET 
SUSE has issued an advisory for this on October 26:
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007626.html
Comment 4 David Walser 2020-10-31 14:18:31 CET 
openSUSE has issued an advisory for this today (October 31):
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00073.html
Comment 5 David Walser 2020-11-10 19:03:46 CET 
RedHat has issued an advisory for this today (November 10):
https://access.redhat.com/errata/RHSA-2020:5040
Comment 6 David Walser 2020-12-27 20:12:03 CET 
Patched package uploaded for Mageia 7.

Advisory:
========================

Updated libvirt packages fix security vulnerability:

A double free memory issue was found to occur in the libvirt API responsible
for requesting information about network interfaces of a running QEMU domain.
This flaw affects the polkit access control driver. Specifically, clients
connecting to the read-write socket with limited ACL permissions could use this
flaw to crash the libvirt daemon, resulting in a denial of service, or
potentially escalate their privileges on the system. The highest threat from
this vulnerability is to data confidentiality and integrity as well as system
availability (CVE-2020-25637).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637
https://access.redhat.com/errata/RHSA-2020:5040
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00073.html
========================

Updated packages in core/updates_testing:
========================
libvirt-docs-5.5.0-1.3.mga7
libvirt0-5.5.0-1.3.mga7
libvirt-devel-5.5.0-1.3.mga7
libvirt-utils-5.5.0-1.3.mga7
wireshark-libvirt-5.5.0-1.3.mga7
libnss_libvirt2-5.5.0-1.3.mga7

from libvirt-5.5.0-1.3.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

David Walser 2020-12-27 20:12:34 CET

Severity: normal => major

Comment 7 PC LX 2020-12-28 17:27:53 CET 
Installed and tested without issues.

Host system: Mageia 7, x86_64, Plasma DE, LXQt DE, virt-viewer, virt-manager, Intel CPU, nVidia CPU using nvidia-current proprietary driver.

Guest systems:
- Mageia 7, x86_64, LXQt DE, virtio drivers, spice agent.
- Mageia 8/cauldron, x86_64, LXQt DE, virtio drivers, spice agent.
- Windows 7 Pro, x86_64, spice agent, spice webdavd.
- Windows 10, x86_64, spice agent, spice webdavd.

Tested guests somewhat for a few hours. No regressions noticed.



$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep 'virt|qemu|spice' | sort
ipxe-roms-qemu-20190125-1.mga7
lib64govirt2-0.3.4-8.mga7
lib64spice-client-glib2.0_8-0.37-1.mga7
lib64spice-client-glib-gir2.0-0.37-1.mga7
lib64spice-client-gtk3.0_5-0.37-1.mga7
lib64spice-client-gtk-gir3.0-0.37-1.mga7
lib64spice-server1-0.14.2-1.1.mga7
lib64virt0-5.5.0-1.3.mga7
lib64virt-glib1.0_0-2.0.0-1.mga7
lib64virt-glib-gir1.0-2.0.0-1.mga7
libgovirt-0.3.4-8.mga7
libvirt-utils-5.5.0-1.3.mga7
python3-libvirt-5.5.0-1.mga7
qemu-audio-alsa-4.0.0-2.mga7
qemu-audio-oss-4.0.0-2.mga7
qemu-audio-pa-4.0.0-2.mga7
qemu-audio-sdl-4.0.0-2.mga7
qemu-block-curl-4.0.0-2.mga7
qemu-block-dmg-4.0.0-2.mga7
qemu-block-iscsi-4.0.0-2.mga7
qemu-block-nfs-4.0.0-2.mga7
qemu-block-ssh-4.0.0-2.mga7
qemu-common-4.0.0-2.mga7
qemu-img-4.0.0-2.mga7
qemu-kvm-4.0.0-2.mga7
qemu-system-x86-4.0.0-2.mga7
qemu-system-x86-core-4.0.0-2.mga7
qemu-ui-curses-4.0.0-2.mga7
qemu-ui-gtk-4.0.0-2.mga7
qemu-ui-sdl-4.0.0-2.mga7
spice-gtk-0.37-1.mga7
virt-manager-2.1.0-2.mga7
virt-manager-common-2.1.0-2.mga7
virt-viewer-8.0-3.mga7
wireshark-libvirt-5.5.0-1.3.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2020-12-28 22:01:57 CET 
Validating. Advisory in Comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Aurelien Oudelet 2020-12-29 10:51:30 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 10 Mageia Robot 2020-12-29 12:58:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0473.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED