Bug 12235 - libvirt new security issues CVE-2013-6436, CVE-2013-645[78], CVE-2014-1447, CVE-2014-0028
Summary: libvirt new security issues CVE-2013-6436, CVE-2013-645[78], CVE-2014-1447, C...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/581304/
Whiteboard: has_procedure advisory mga3-32-ok mga...
Keywords: validated_update
Depends on:
Reported: 2014-01-07 22:20 CET by David Walser
Modified: 2014-02-11 23:51 CET (History)
4 users (show)

See Also:
Source RPM: libvirt-1.1.4-1.mga4.src.rpm
Status comment:


Description David Walser 2014-01-07 22:20:31 CET
OpenSuSE has issued an advisory on January 3:


Steps to Reproduce:
David Walser 2014-01-07 22:20:45 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-09 17:42:47 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-14 17:32:10 CET
Two other CVEs were assigned for libvirt issues today, CVE-2014-144[78]:
Comment 2 David Walser 2014-01-16 17:55:54 CET
CVE-2014-1448 was rejected and merged into CVE-2014-1447.

There are a number of other CVEs mentioned in the changelog for libvirt 1.2.1:
Comment 3 David Walser 2014-01-21 17:30:33 CET
Debian has issued an advisory for CVE-2013-6458 and CVE-2014-1447:

from http://lwn.net/Vulnerabilities/581304/

Summary: libvirt new security issue CVE-2013-6436 => libvirt new security issues CVE-2013-6436, CVE-2013-645[78], CVE-2014-1447, CVE-2014-0028

Comment 4 David Walser 2014-01-23 20:45:23 CET
Probably our best bet for fixing this would be updating Mageia 4 to 1.2.1 and Mageia 3 to as Fedora 19 did.
Comment 5 Oden Eriksson 2014-01-24 11:33:18 CET
Fixed in cauldron. Works for me.

Please submit libvirt-1.2.1 and once it's available in the build system continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync).


CC: (none) => oe

Comment 6 Oden Eriksson 2014-01-24 12:38:19 CET
(In reply to Oden Eriksson from comment #5)
> Fixed in cauldron. Works for me.
> Please submit libvirt-1.2.1 and once it's available in the build system
> continue with python-libvirt-1.2.1 (new) and virt-manager (fedora sync).
> Cheers.

For Cauldron:

Additionally the following ones has been upgraded as well since a rebuild of 
them was probably nessesary:

libguestfs-1.24.0 -> libguestfs-1.24.5
libvirt-glib (rebuild)
ocaml-libvirt (rebuild)
perl-Sys-Virt-1.1.3 -> perl-Sys-Virt-1.2.1
php-libvirt-0.4.7 -> php-libvirt-0.4.8
ruby-libvirt-0.4.0 -> ruby-libvirt-0.5.2
virt-viewer-0.5.6 -> virt-viewer-0.5.7

Comment 7 David Walser 2014-01-24 18:23:52 CET
libvirt-1.2.1-1.mga4 uploaded for Cauldron.  Thanks Oden!

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

David Walser 2014-01-24 18:24:13 CET

Blocks: 11726 => (none)

Comment 8 David Walser 2014-01-27 00:07:34 CET
Here's the Fedora advisory for Fedora 19, which I recommend we sync with for Mageia 3:
Comment 9 David Walser 2014-01-31 19:33:33 CET
Ubuntu has issued an advisory for this:

This adds CVE-2013-6457 and CVE-2014-0028:
from http://lwn.net/Vulnerabilities/583677/
Comment 10 David Walser 2014-02-10 02:21:24 CET
I've added patches from the 1.0.2 branch in git.  These fix CVE-2013-6458 and CVE-2014-1447.

I've determined that CVE-2014-0028 only affects 1.1.1 and newer (from the commit log message) and that CVE-2013-6457 affects code not present in 1.0.2.

CVE-2013-6436 has patches applied upstream in every branch 1.0.5 and newer, but none of the older ones, so I'm guessing 1.0.2 is not affected.  Ubuntu's description for this CVE also indicates that 1.0.5 is the oldest version affected.

The original URL set for this bug was for CVE-2013-6436:

I've switched that to the LWN reference for the bugs we're actually fixing with this Mageia 3 update, the one listed in Comment 3.


Updated libvirt packages fix security vulnerabilities:

It was discovered that insecure job usage could lead to denial of service
against libvirtd (CVE-2013-6458).

It was discovered that a race condition in keepalive handling could lead to
denial of service against libvirtd (CVE-2014-1447).


Updated packages in core/updates_testing:

from libvirt-1.0.2-8.4.mga3.src.rpm

URL: http://lwn.net/Vulnerabilities/579350/ => http://lwn.net/Vulnerabilities/581304/
Assignee: bugsquad => qa-bugs

David Walser 2014-02-10 02:23:09 CET

Severity: normal => major

Comment 11 Samuel Verschelde 2014-02-10 16:26:05 CET
Testing procedure in bug 10987 comment 6 and 7

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 12 claire robinson 2014-02-11 10:46:25 CET
The above procedure is for testing spice, libvirtd is easier to test. Just start libvirtd service, install virt-manager and use Virtual Machine Manager to start a VM installation (it's similar to virtualbox).

Testing complete mga3 32 & 64

Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok

Comment 13 claire robinson 2014-02-11 11:43:31 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 14 Thomas Backlund 2014-02-11 23:51:20 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.