Bug 11274 - libvirt new security issues CVE-2013-4296 and CVE-2013-5651
Summary: libvirt new security issues CVE-2013-4296 and CVE-2013-5651
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/567522/
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3...
Keywords: validated_update
Depends on: 11260
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-23 16:10 CEST by David Walser
Modified: 2013-10-05 20:03 CEST (History)
5 users (show)

See Also:
Source RPM: libvirt-1.0.2-8.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-23 16:10:52 CEST
Ubuntu has issued an advisory on September 18:
http://www.ubuntu.com/usn/usn-1954-1/

Note that the CVE-2013-5651 issue only affects Mageia 3.

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory (Mageia 2):
========================

Updated libvirt packages fix security vulnerabilities:

It was discovered that libvirt incorrectly handled certain memory stats
requests. A remote attacker could use this issue to cause libvirt to
crash, resulting in a denial of service (CVE-2013-4296).

Additionally, an update for a PolicyKit security issue required libvirt to
be updated to use a different API that is not affected by this security
issue (CVE-2013-4311).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4311
http://www.ubuntu.com/usn/usn-1954-1/
https://bugs.mageia.org/show_bug.cgi?id=11260
========================

Updated packages in core/updates_testing:
========================
libvirt0-0.9.12-1.mga2
libvirt-devel-0.9.12-1.mga2
libvirt-static-devel-0.9.12-1.mga2
python-libvirt-0.9.12-1.mga2
libvirt-utils-0.9.12-1.mga2

from libvirt-0.9.12-1.mga2.src.rpm


Advisory (Mageia 3):
========================

Updated libvirt packages fix security vulnerabilities:

It was discovered that libvirt incorrectly handled certain memory stats
requests. A remote attacker could use this issue to cause libvirt to
crash, resulting in a denial of service (CVE-2013-4296).

It was discovered that libvirt incorrectly handled certain bitmap
operations. A remote attacker could use this issue to cause libvirt to
crash, resulting in a denial of service (CVE-2013-5651).

Additionally, an update for a PolicyKit security issue required libvirt to
be updated to use a different API that is not affected by this security
issue (CVE-2013-4311).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5651
http://www.ubuntu.com/usn/usn-1954-1/
https://bugs.mageia.org/show_bug.cgi?id=11260
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.0.2-8.3.mga3
libvirt-devel-1.0.2-8.3.mga3
python-libvirt-1.0.2-8.3.mga3
libvirt-utils-1.0.2-8.3.mga3

from libvirt-1.0.2-8.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-23 16:11:11 CEST

CC: (none) => mageia
Depends on: (none) => 11260
Whiteboard: (none) => MGA2TOO

Comment 1 Oden Eriksson 2013-09-24 15:43:33 CEST
May I request a new release of libvirt with the changes added here:

http://svnweb.mageia.org/packages?view=revision&revision=484822

It makes it so much easier to use.

Additionally one could also add libssh2 support by adding:

BuildRequires: libssh2-devel

CC: (none) => oe

Comment 2 Colin Guthrie 2013-09-24 15:54:54 CEST
@oden, Feel free to just bump the subrel and resubmit to testing.

That said, are all these build deps also listed as runtime deps? Or are they not strictly needed at runtime?

Also, IMO it's nicer to have the separate BRs on one line each as this makes contextual diffs much easier to read, but that is arguably going to spark a bikeshed debate so I'll not make any requests about this (and it's not my package anyway!!)
Comment 3 claire robinson 2013-09-25 12:43:37 CEST
Oden are you intending to do this or shall we proceed with the current build?

If not then testing complete mga3 64

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok?

Comment 4 Oden Eriksson 2013-09-25 12:49:46 CEST
I will submit as of http://svnweb.mageia.org/packages?view=revision&revision=484822 but I'm not that confident with this enough to tell what's needed or not at runtime as of the question by Colin.

I will also add "BuildRequires: libssh2-devel" which adds this support.

Packages has been submitted to mga3 updates_testing, libvirt-1.0.2-8.4.mga3
Comment 5 claire robinson 2013-09-25 15:06:05 CEST
Did you forget the ssh?
Comment 6 Oden Eriksson 2013-09-25 15:50:15 CEST
No.

$ rpm -qp --requires /mnt/BIG/mirror/mageia/mga3/SRPMS/core/updates_testing/libvirt-1.0.2-8.4.mga3.src.rpm  | grep ssh
libssh2-devel
Comment 7 claire robinson 2013-09-25 15:58:14 CEST
Ahh yep. That was strange, is there a delay on svnweb or was I just looking in the wrong place?

What is the purpose of adding this Oden? Could you update the advisory please.
Comment 8 Oden Eriksson 2013-09-25 16:44:12 CEST
http://libvirt.org/remote.html

"libssh2
    Transport over the SSH protocol using libssh2 instead of the OpenSSH binary. This transport uses the libvirt authentication callback for all ssh authentication calls and therefore supports keyboard-interactive authentication even with graphical management applications. As with the classic ssh transport netcat is required on the remote side."

Noticed this support was activated when I built libvirt locally and had libssh2-devel installed, comparing symbols and verifying the http://svnweb.mageia.org/packages?view=revision&revision=484822 change.
Comment 9 claire robinson 2013-09-26 09:40:13 CEST
Testing complete mga2 64

Whiteboard: MGA2TOO mga3-64-ok? => MGA2TOO mga2-64-ok

Comment 10 claire robinson 2013-09-26 16:53:42 CEST
I'm having difficulties with this mga2 32 in vbox lxde. 

Can somebody else test please. I can get it to work with vnc but not spice. It could be some oddity of trying to run it in lxde in vbox so if you're better able to test, please do :)

Procedure in bug 10987 comment 6 and 7
Comment 11 claire robinson 2013-09-27 15:12:12 CEST
testing complete mga3 32

Whiteboard: MGA2TOO mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok

Comment 12 claire robinson 2013-09-27 15:30:33 CEST
Testing complete mga3 64

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok

Comment 13 Dave Hodgins 2013-09-30 21:59:18 CEST
I'm surprised. I actually got virt-viewer and qemu to run under vb.
It's dead slow, but got far enough to confirm virt-viewer is working.

Testing complete mageia 2 i586. Advisory committed to svn.

Someone from the sysadmin team please push 11274.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok mga2-32-ok
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 14 Thomas Backlund 2013-10-05 20:03:20 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0294.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.