Bug 15863 - netcf new security issue CVE-2014-8119
Summary: netcf new security issue CVE-2014-8119
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/643922/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Reported: 2015-05-06 17:10 CEST by David Walser
Modified: 2015-05-12 21:38 CEST (History)
6 users (show)

See Also:
Source RPM: netcf-0.2.2-5.mga5.src.rpm
Status comment:


Description David Walser 2015-05-06 17:10:35 CEST
An update was submitted to Fedora QA on April 8:

The issue was fixed in 0.2.7; Fedora is updating it to 0.2.8 to fix the issue.

Mageia 4 and Mageia 5 are affected.


Steps to Reproduce:
David Walser 2015-05-06 17:10:51 CEST

CC: (none) => fundawang, tmb
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Nicolas Lécureuil 2015-05-10 23:56:40 CEST
pushd in cauldron svn

CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2015-05-10 23:59:01 CEST
available in mga4 core/updates_testing
Comment 3 David Walser 2015-05-11 14:38:40 CEST
Updated packages uploaded for Mageia 4 and Cauldron.  Thanks Nicolas!


Updated netcf packages fix security vulnerability:

A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash.

The netcf package has been updated to version 0.2.8, fixing this issue and
several other bugs.


Updated packages in core/updates_testing:

from netcf-0.2.8-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-05-11 15:05:58 CEST
Please use the libvirt testing procedure to test this (unless you can find a PoC).

Testing procedure:

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2015-05-11 15:38:30 CEST
Testing complete mga4 32

Ensured an installation could be started in virt-manager.

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 6 Shlomi Fish 2015-05-11 16:45:07 CEST
(In reply to claire robinson from comment #5)
> Testing complete mga4 32
> Ensured an installation could be started in virt-manager.

urpmq --whatrequires lib64netcf1 only says libvirt-utils require that and I cannot see a link to it from its /usr/bin/* programs using ldd.

CC: (none) => shlomif

Comment 7 claire robinson 2015-05-11 16:53:41 CEST
virt-manager requires libvirt-utils, it attempted to install it when run actually, maybe a missing require in virt-manager.

Either way it updates without error.
Comment 8 claire robinson 2015-05-11 17:50:02 CEST
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok

Comment 9 Len Lawrence 2015-05-11 19:22:43 CEST
Testing this for x86_64.
Had to install virt-manager and lib64virt-utils for the test.

Before the update virt-manager displayed the management window then froze - I think it was looking for a python package.

After the update it raised an error:

Error talking to PackageKit: The connection is closed

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/packageutils.py", line 54, in check_packagekit
    packagekit_install(parent, packages)
  File "/usr/share/virt-manager/virtManager/packageutils.py", line 66, in packagekit_install
    bus = Gio.bus_get_sync(Gio.BusType.SESSION, None)
GError: The connection is closed

The application reported:
Could not detect a default hypervisor and something about virtualization packages "kvm, qemu, libvirt, etc."  And it said a hypervisor connection can be manually added.  I need to look that up.

CC: (none) => tarazed25

David Walser 2015-05-11 20:33:53 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643922/

Comment 10 Len Lawrence 2015-05-11 21:54:16 CEST
Well I really don't know what I am doing here.  Clicked on localhost (QEMU) then file then Restore Saved Machine and then navigated to my VMs and selected one of them - shaula - then clicked on shaula.dvi or shaula.vbox and raised this error:

Error restoring domain: operation failed: image magic is incorrect

Can I assume that this is the bug manifesting itself and continue on to the update?
Comment 11 claire robinson 2015-05-12 16:02:39 CEST
I'm not sure the process for importing vbox images Len. You can click to create a new machine though and give it an iso to use in the same way you would vbox. It creates machines in the / partition by default so use caution when sizing the disk and you might want to delete it when you've finished testing.

Tested mga4 64 here anyway.


Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-05-12 21:38:32 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.