Bug 29401

Summary: libvirt new security issue CVE-2021-3667
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, mageia, sysadmin-bugs, thierry.vignaud
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libvirt-7.6.0-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-08-24 00:06:18 CEST 
SUSE has issued an advisory today (August 23):
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009329.html

Mageia 8 is also affected.
David Walser 2021-08-24 00:06:30 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => mageia

Comment 1 David Walser 2021-08-24 00:09:24 CEST 
openSUSE has issued an advisory for this today (August 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K4QAQWSVV2PRNPOI4R3VBPRTRXS5NLQ5/
Comment 2 Lewis Smith 2021-08-24 20:41:22 CEST 
tv is clearly the major player (if not the registered maintainer; there is none) for this SRPM, so assigning this to you.

Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2021-09-30 18:05:34 CEST 
Fedora has issued an advisory for this on September 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HWNKJO5VHRNPGVFUMEQ3V6RYIEYVWGLV/
Comment 4 Nicolas Lécureuil 2021-11-30 22:27:49 CET 
already fixed in cauldron version.

New package pushed in mga8

src:
    - libvirt-7.0.0-2.2.mga8

CC: (none) => thierry.vignaud
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: thierry.vignaud => qa-bugs

Comment 5 David Walser 2021-11-30 22:31:08 CET 
libnss_libvirt2-7.0.0-2.2.mga8
wireshark-libvirt-7.0.0-2.2.mga8
libvirt-devel-7.0.0-2.2.mga8
libvirt0-7.0.0-2.2.mga8
libvirt-docs-7.0.0-2.2.mga8
libvirt-utils-7.0.0-2.2.mga8

from libvirt-7.0.0-2.2.mga8.src.rpm
Comment 6 Herman Viaene 2021-12-02 15:56:12 CET 
MGA8-64 Plasma on Lenovo B50
When selecting all packages in MCC I got on selecting libvirt-utils (translated)

The following package has to b removed in order to upgrade others:
netcat-traditional-1.10-42.mga8.x86_64
 (because of conflicts with netcat-openbsd)
Continued installation, seems to go OK.
Ref bug 29525 trying to make sense of it (my problem)
# systemctl start libvirt-guests.service
# systemctl status libvirt-guests.service
● libvirt-guests.service - Suspend/Resume Running libvirt Guests
     Loaded: loaded (/usr/lib/systemd/system/libvirt-guests.service; disabled; vendor preset: disabled)
     Active: active (exited) since Thu 2021-12-02 15:47:50 CET; 4s ago
       Docs: man:libvirtd(8)
             https://libvirt.org
    Process: 26384 ExecStart=/usr/libexec/libvirt-guests.sh start (code=exited, status=0/SUCCESS)
   Main PID: 26384 (code=exited, status=0/SUCCESS)
        CPU: 17ms

dec 02 15:47:50 mach5.hviaene.thuis systemd[1]: Starting Suspend/Resume Running libvirt Guests...
dec 02 15:47:50 mach5.hviaene.thuis systemd[1]: Finished Suspend/Resume Running libvirt Guests.
[root@mach5 ~]# systemctl list-units --all | grep libvirt
  libvirt-guests.service                                                                    loaded    active   exited    Suspend/Resume Running libvirt Guests                                              
  libvirtd.service                                                                          loaded    active   running   Virtualization daemon                                                              
  libvirtd-admin.socket                                                                     loaded    active   running   Libvirt admin socket                                                               
  libvirtd-ro.socket                                                                        loaded    active   running   Libvirt local read-only socket                                                     
  libvirtd.socket                                                                           loaded    active   running   Libvirt local socket      

Seems to be OK, but waiting for others with more knowledge on the subject.

CC: (none) => herman.viaene

Comment 7 PC LX 2021-12-05 17:25:29 CET 
Installed and tested without issue.


Tested using virsh and virt-manager. Tested remote (ssh) and local. Tested qemu:///system and qemu:///session.
Tested guests: Mageia 8, Mageia cauldron, Windows 10, Haiku, Fedora 35, Ubuntu 20.04 and Ubuntu 21.10.
Tested integration with systemd-machined.
Tested nested QEMU/KVM inside QEMU/KVM Mageia 8 guest.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.78-desktop-1.mga8 #1 SMP Sat Nov 6 13:40:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep 'virt.*7\.0\.0'
libvirt-utils-7.0.0-2.2.mga8
lib64virt0-7.0.0-2.2.mga8
wireshark-libvirt-7.0.0-2.2.mga8
$ LANGUAGE=C virsh
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # connect qemu+ssh://pclx@marte/system

virsh # uri
qemu+ssh://pclx@marte/system

virsh # list --all
 Id   Name            State
--------------------------------
 1    memtest86       running
 -    haiku_r1beta3   shut off
 -    mageia_8        shut off
 -    mageia_c        shut off
 -    windows_10      shut off
 -    windows_10_dev  shut off
 -    fedora_35       shut off
 -    ubuntu_20_04_l  shut off
 -    ubuntu_21_10    shut off

$ systemctl | grep libvirt
  libvirtd.service                                                                                      loaded active running   Virtualization daemon                                                                
  libvirtd-admin.socket                                                                                 loaded active running   Libvirt admin socket                                                                 
  libvirtd-ro.socket                                                                                    loaded active running   Libvirt local read-only socket                                                       
  libvirtd.socket                                                                                       loaded active running   Libvirt local socket                                                                 
$ systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-12-05 16:04:24 WET; 28s ago
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd.socket
             ● libvirtd-ro.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 30864 (libvirtd)
      Tasks: 20 (limit: 32768)
     Memory: 33.5M
        CPU: 562ms
     CGroup: /system.slice/libvirtd.service
             └─30864 /usr/sbin/libvirtd --timeout 120

dez 05 16:04:24 marte systemd[1]: Starting Virtualization daemon...
dez 05 16:04:24 marte systemd[1]: Started Virtualization daemon.
dez 05 16:04:27 marte libvirtd[30864]: libvirt version: 7.0.0
dez 05 16:04:27 marte libvirtd[30864]: hostname: marte

CC: (none) => mageia

Herman Viaene 2021-12-09 14:25:47 CET

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2021-12-09 19:29:44 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-10 21:35:22 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2021-12-10 23:20:13 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0547.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED