Bug 14887 - libvirt new security issue CVE-2014-8136
Summary: libvirt new security issue CVE-2014-8136
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627716/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-25 19:35 CET by David Walser
Modified: 2015-01-05 17:31 CET (History)
3 users (show)

See Also:
Source RPM: libvirt-1.2.1-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-25 19:35:27 CET
Gentoo has issued an advisory on December 24:
http://www.gentoo.org/security/en/glsa/glsa-201412-36.xml

I had previously added the fix for CVE-2014-8131 in Cauldron and have now uploaded a patched package fixing CVE-2014-8135 and CVE-2014-8136.

Only CVE-2014-8136 affects version 1.2.1 in Mageia 4.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libvirt packages fix security vulnerability:

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in
qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check
fails, which allow local users to cause a denial of service via unspecified
vectors (CVE-2014-8136).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136
http://www.gentoo.org/security/en/glsa/glsa-201412-36.xml
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.2.1-1.4.mga4
libvirt-devel-1.2.1-1.4.mga4
libvirt-utils-1.2.1-1.4.mga4

from libvirt-1.2.1-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-25 19:35:52 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2014-12-29 17:26:57 CET
On MGA-64: I find lib64virt0-1.2.1-1.4.mga4 and lib64virt-devel-1.2.1-1.4.mga4 in the repository, but no lib64virt-utils-1.2.1-1.4.mga4.

CC: (none) => herman.viaene

Comment 3 claire robinson 2014-12-29 17:32:05 CET
It's confusing with the lib name and the utils package. It will be named libvirt-utils even on a 64 bit system as it's not the library but just tools to work with the lib64virt library package.

Does that make sense? The library itself has the 64 added but related packages *-utils, *-tools etc won't be.
Comment 4 olivier charles 2014-12-29 21:33:53 CET
Testing on Mageia4 x 32 real hardware, 

From current packages :
---------------------

libvirt0-1.2.1-1.3.mga4
libvirt-devel-1.2.1-1.3.mga4
libvirt-utils-1.2.1-1.3.mga4

# systemctl start libvirtd
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running)
   
Using virt-manager, connected to virtual-machine (Mageia4) previously set in 
former testing.

Updated to testing packages :
---------------------------

- libvirt-devel-1.2.1-1.4.mga4.i586
- libvirt-utils-1.2.1-1.4.mga4.i586
- libvirt0-1.2.1-1.4.mga4.i586

Rebooted
# systemctl status -l libvirtd
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running)

Using virt-manager, could connect to previous VM.
Deleted it.
Created a new virtual machine, proceded to a new Mageia4 installation, booted 
ok, made some changes, created a snapshot.

All OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 5 Herman Viaene 2014-12-29 23:21:52 CET
MGA4-64 on HP Probook 6555b KDE
Installation OK. Virtula Manager runs, I can create a VM using the MGA5 Live iso, but this does not run (no bootable device). I will try classical iso.
Comment 6 Herman Viaene 2014-12-30 11:36:03 CET
MGA4-64 on HP Probook 6555b KDE
I could install classical KDE 32 bit. Running it only works in safe mode, in normal mode it seems to choke somwhere at the graphical device.
Also tried to make a VM boot from an MGA5 Live iso file. It boots, shows the first option screen (boot, install etc.), but then the display corrupts and nothing seems to happen anymore.
For me, installation of libvrt is OK, the product .....

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 7 claire robinson 2015-01-03 18:35:22 CET
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-01-05 17:31:03 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0002.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.