OpenSuSE has issued an advisory today (May 15): http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html The upstream advisory is here: http://security.libvirt.org/2014/0003.html For Mageia 3, they appear to still be making commits to 1.0.2 in git, but not for security issues anymore. The commit to the 1.0.5 branch to fix this may be helpful. For Mageia 4, we could patch it, or update it to 1.2.4 and patch it (the fix was applied in 1.2.4's git after it was released). The advantage of updating it would be to include the fixes for an earlier CVE that we haven't yet addressed (Bug 12920). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
in progress...
CC: (none) => tmbBlocks: (none) => 12920
Cauldron updated to 1.2.4 + a patch from 1.2.4-maint branck to fix CVE-2014-0179 Mga4: synced with upstream 1.2.1-maint branch to get 17 bugfixes and fixes for CVE-2013-6456 (bug 12920) and CVE-2014-0179 SRPM: libvirt-1.2.1-1.1.mga4.src.rpm i586: libvirt0-1.2.1-1.1.mga4.i586.rpm libvirt-devel-1.2.1-1.1.mga4.i586.rpm libvirt-utils-1.2.1-1.1.mga4.i586.rpm x86_64: lib64virt0-1.2.1-1.1.mga4.x86_64.rpm lib64virt-devel-1.2.1-1.1.mga4.x86_64.rpm libvirt-utils-1.2.1-1.1.mga4.x86_64.rpm Mga3: synced with upstream 1.0.2-maint branch to get 2 bugfixes. backported fixes for CVE-2013-6456 (bug 12920) and CVE-2014-0179 from 1.0.5-maint branch SRPM: libvirt-1.0.2-8.5.mga3.src.rpm i586: libvirt0-1.0.2-8.5.mga3.i586.rpm libvirt-devel-1.0.2-8.5.mga3.i586.rpm libvirt-utils-1.0.2-8.5.mga3.i586.rpm python-libvirt-1.0.2-8.5.mga3.i586.rpm x86_64: ib64virt0-1.0.2-8.5.mga3.x86_64.rpm lib64virt-devel-1.0.2-8.5.mga3.x86_64.rpm libvirt-utils-1.0.2-8.5.mga3.x86_64.rpm python-libvirt-1.0.2-8.5.mga3.x86_64.rpm
Hardware: i586 => AllVersion: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks Thomas!!! Advisory: ======================== Updated libvirt packages fix security vulnerabilities: The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0179 http://security.libvirt.org/2013/0018.html http://security.libvirt.org/2014/0003.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:097/
Whiteboard: MGA3TOO => MGA3TOO
Addendum to the references (since this fixes two Mageia bugs): https://bugs.mageia.org/show_bug.cgi?id=12920 https://bugs.mageia.org/show_bug.cgi?id=13387
https://bugs.mageia.org/show_bug.cgi?id=12235#c12 Clair could I ask you to document here, exactly step by step, how to run this proceedure. Thanks
CC: (none) => wilcal.int
I can't go through it step by step right now Bill. Essentially though, you start libvirtd service and then use virt-manager which is much like virtualbox to create and start a VM. It will ask for your root password and connect to the libvirtd service running on localhost then allow you to create/start/stop/view/alter any VM's running on it. virt-manager has an icon in the menu in tools => emulators. If you can start a VM, even just start an installation, it's enough to show libvirtd is working.
Thanks, I'll give this a go.
Trying MGA4 64-bit real hardware. Installing this pre-update candidate to use is much heavier than one might think. In addition to the pkgs cited above, I needed to install: - virt-install - virt-manager which pulled in many other pkgs. Starting virt-manager from the menu, it immediately said it needed to install: - qemu - libvirt-utils [already installed] & did so. I imagine that with VirtualBox already installed, this would be skipped. Trying in virt-manager to add a virtual machine to Qemu, that foundered with "Connection: localhost (QEMU) Error: No hypervisor options were found for this connection. This usually mleans that QEMU or KVM is not installed on your machine, or the KVM kernel modules are not loaded". How can I progress this? I feel it has got out of hand...
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #8) > How can I progress this? I feel it has got out of hand... I am also poke'n at this one Lewis and running into the same thing. I'm hoping that when Claire gets back she can give us a detailed listing of the exact steps she used in: https://bugs.mageia.org/show_bug.cgi?id=12235#c12
Virtualbox doesn't use libvirt. The two are unrelated. kvm is a kernel module which allows it to use vm acceleration built into modern cpu's. # egrep -c '(svm|vmx)' /proc/cpuinfo 4 If it returns more than 0 then your cpu is capable. Load the module.. # modprobe kvm If not, it can still run using qemu, just select qemu when creating the virtual machine.
Testing complete mga4 64 # urpmi virt-manager qemu lib64virt0 libvirt-utils # modprobe kvm # service libvirtd start # service libvirtd status (check it's Active) $ virt-manager (Asks for root password) Clicked to create a new VM and used local media then chose an appropriate arch ISO in the next step and set the OS type. Set memory & cpu limits in the next step. In step I chose not to allocate the entire disk now as it creates it in /var by default and can fill the root partition. Forward one or two times more and it starts the VM. Didn't complete the installation of the VM, used the drop down arrow to force power off the machine and deleted it.
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64 in vbox
Whiteboard: MGA3TOO mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
According to Ubuntu, the fix for CVE-2014-0179 also fixed CVE-2014-5177. LWN reference: http://lwn.net/Vulnerabilities/614415/