| Summary: | libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, CVE-2013-0170, and CVE-2013-1962 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | alien, cjw, fundawang, guillomovitch, mageia, mageia, oe, olav, stewbintn, thierry.vignaud |
| Version: | 2 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/502702/ | ||
| Whiteboard: | |||
| Source RPM: | libvirt-0.9.10-5.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 10345 | ||
| Bug Blocks: | |||
|
Description
David Walser
2012-06-20 21:23:46 CEST
David Walser
2012-06-20 21:24:05 CEST
CC:
(none) =>
olav
David Walser
2012-06-30 16:19:54 CEST
CC:
(none) =>
mageia
David Walser
2012-07-13 21:59:20 CEST
CC:
(none) =>
thierry.vignaud
David Walser
2012-08-14 15:46:35 CEST
CC:
(none) =>
guillomovitch
David Walser
2012-08-14 15:47:13 CEST
Version:
Cauldron =>
2 OpenSuSE has issued an advisory today (August 15): http://lists.opensuse.org/opensuse-updates/2012-08/msg00023.html This fixes a new issue, CVE-2012-3445. from http://lwn.net/Vulnerabilities/511404/ Summary:
libvirt new security issue CVE-2012-2693 =>
libvirt new security issues CVE-2012-2693 and CVE-2012-3445
David Walser
2012-10-10 00:45:28 CEST
CC:
(none) =>
oe RedHat has issued an advisory today (October 11): https://rhn.redhat.com/errata/RHSA-2012-1359.html This fixes a new issue, CVE-2012-4423. from http://lwn.net/Vulnerabilities/519459/ Version:
2 =>
Cauldron
David Walser
2012-11-22 18:52:08 CET
CC:
(none) =>
mageia libvirt is also affected by dnsmasq issue CVE-2012-3411. Fedora has issued an advisory on December 18: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095332.html Started to take a look at these, cherry-picked patches from the RH package. For CVE-2012-3445 had to rediff, 1 chunk failed but it looks benign to me, line was already what the patch wanted to change (pulled the same patch from git) For CVE-2012-4423 - patch applies clean For CVE-2012-3411 - 3 patches, pulled from git, don't apply clean. If I'm reading the git log correctly, since our dnsmasq supports --bind-dynamic, the last patch should be adequate (it doesn't apply clean either) For CVE-2012-2693 - 3 patches, still need some work, they *don't* apply clean, but a quick look indicates they could be cleaned up. RH/Fedora apply a ton of patches to this package. No more time this evening, in progress src.rpm here if anyone wants to look more at the re-diffs: http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm CC:
(none) =>
stewbintn RedHat has issued an advisory on January 28: https://rhn.redhat.com/errata/RHSA-2013-0199.html This fixes a new issue, CVE-2013-0170. from http://lwn.net/Vulnerabilities/534955/ Summary:
libvirt new security issues CVE-2012-2693, CVE-2012-3445, and CVE-2012-4423 =>
libvirt new security issues CVE-2012-2693, CVE-2012-3445, CVE-2012-4423, and CVE-2013-0170 Just FYI, CVE-2013-0170 is fixed in 1.0.2 (Cauldron is currently vulnerable). CC:
(none) =>
fundawang
David Walser
2013-01-30 21:40:08 CET
CC:
(none) =>
cjw 1.0.2 uploaded in Cauldron by Guillaume, which should fix these in Cauldron. Removing Mageia 1 from the whiteboard due to EOL. Version:
Cauldron =>
2 Finally got some time to look at this again. If I read the CVE correctly: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 The mga2 version should be exempt from this (0.9.10). For the others: P6, for CVE-2012-3411, doesn't seem to have a context in our version, so I skipped it also. P7-P9 (CVE-2012-2693) do apply, now after a bit of rediff work. Packaqe builds/installs/seems to run. I don't do a lot with usb devices and libvirt, but I was able to add a usb key in virt-manager and have it show up on the client machine. New srpm: http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm (In reply to comment #8) > Finally got some time to look at this again. > > If I read the CVE correctly: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 > > The mga2 version should be exempt from this (0.9.10). I wouldn't assume that. Version information in CVE descriptions is often incomplete. Maybe see if you can find the commit (between 0.9.11.8 and 0.9.11.9) that fixed it. > For the others: > P6, for CVE-2012-3411, doesn't seem to have a context in our version, so I > skipped it also. Those three patches don't look light the right ones to begin with. It looks like they come from further down the line, after libvirt had been changed to use --bind-dynamic, to deal with dnsmasq versions that don't support that option. For us, if our dnsmasq version does support that option, all that detection stuff is overkill anyway and not needed for us, but it does need to use that option in the first place, which our version does not. It looks like the patches you want to start with are the one that adds using the --bind-dynamic option in the first place, but all that capabilities detection stuff in it would not be needed: http://libvirt.org/git/?p=libvirt.git;a=commit;h=753ff83a50263d6975f88d6605d4b5ddfcc97560 and then since that commit removed the --except-interface lo, which turned out to be the wrong thing to do, Fedora has a patch that fixes that: http://pkgs.fedoraproject.org/cgit/libvirt.git/commit/?h=f17&id=d4e5211296a00a0cff32e1a1daaa025002add736 > P7-P9 (CVE-2012-2693) do apply, now after a bit of rediff work. Packaqe > builds/installs/seems to run. I don't do a lot with usb devices and libvirt, > but I was able to add a usb key in virt-manager and have it show up on the > client machine. > > New srpm: > > http://stewbenedict.org/mageia/libvirt-0.9.10-5.1.mga2.src.rpm Thanks for continuing to work on this. (In reply to David Walser from comment #9) > (In reply to comment #8) > > Finally got some time to look at this again. > > > > If I read the CVE correctly: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0170 > > > > The mga2 version should be exempt from this (0.9.10). > > I wouldn't assume that. Version information in CVE descriptions is often > incomplete. Maybe see if you can find the commit (between 0.9.11.8 and > 0.9.11.9) that fixed it. In fact, if you see RedHat's advisory for this CVE: https://rhn.redhat.com/errata/RHSA-2013-0199.html Their update was for 0.9.10. So you should be able to download their SRPM and get a patch for this from that. Debian has issued an advisory on March 17: http://www.debian.org/security/2013/dsa-2650 This fixes a new issue, CVE-2013-1766. from http://lwn.net/Vulnerabilities/543282/ Version:
2 =>
Cauldron that one looks distro-specific, and related to what user and group libvirtd runs at. CC:
(none) =>
alien (In reply to AL13N from comment #12) > that one looks distro-specific, and related to what user and group libvirtd > runs at. Thanks, removing that CVE from the bug title and Cauldron from the version list. Version:
Cauldron =>
2 RedHat has issued an advisory on May 16: https://rhn.redhat.com/errata/RHSA-2013-0831.html This fixes a new issue, CVE-2013-1962. from http://lwn.net/Vulnerabilities/551062/ Version:
2 =>
Cauldron
David Walser
2013-05-29 15:46:38 CEST
Depends on:
(none) =>
10345 (In reply to David Walser from comment #14) > RedHat has issued an advisory on May 16: > https://rhn.redhat.com/errata/RHSA-2013-0831.html > > This fixes a new issue, CVE-2013-1962. > > from http://lwn.net/Vulnerabilities/551062/ Fixed for Mageia 3 and Cauldron by Funda, Bug 10345. Version:
Cauldron =>
2 Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Status:
NEW =>
RESOLVED |