Bug 18873 - libvirt new security issue CVE-2016-5008
Summary: libvirt new security issue CVE-2016-5008
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/693176/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-07-05 20:56 CEST by David Walser
Modified: 2016-07-08 21:51 CEST (History)
2 users (show)

See Also:
Source RPM: libvirt-1.3.5-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-05 20:56:40 CEST 
Debian has issued an advisory on July 2:
https://www.debian.org/security/2016/dsa-3613

It was fixed upstream in 2.0.0.  Upstream's advisory links to fixes:
http://security.libvirt.org/2016/0001.html

Mageia 5 is also affected.
David Walser 2016-07-05 20:56:54 CEST

Assignee: bugsquad => thierry.vignaud
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-07 20:52:14 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14192#c7

Advisory:
========================

Updated libvirt packages fix security vulnerability:

Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC
password does not work as documented in Libvirt, a virtualisation abstraction
library. When the password on a VNC server is set to the empty string,
authentication on the VNC server will be disabled, allowing any user to connect,
despite the documentation declaring that setting an empty password for the VNC
server prevents all client connections. With this update the behaviour is
enforced by setting the password expiration to "now" (CVE-2016-5008).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008
http://security.libvirt.org/2016/0001.html
https://www.debian.org/security/2016/dsa-3613
========================

Updated packages in core/updates_testing:
========================
libvirt0-1.2.9.3-1.4.mga5
libvirt-devel-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5

from libvirt-1.2.9.3-1.4.mga5.src.rpm

Version: Cauldron => 5
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 2 James Kerr 2016-07-08 08:36:13 CEST 
Testing on mga5-64

already installed:
qemu-2.4.1-5.mga5
qemu-img-2.4.1-5.mga5
virt-manager-1.1.0-7.mga5

installed from testing:
lib64virt0-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5

packages installed cleanly

launched libvirtd.service:
# systemctl start libvirtd.service

Used virt-manager to create a VM and launched install of mga5 using boot.iso

OK for mga5-64

CC: (none) => jim
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 James Kerr 2016-07-08 09:22:18 CEST 
Testing on mga5-32

already installed:
qemu-img-2.4.1-5.mga5
qemu-2.4.1-5.mga5
virt-manager-1.1.0-7.mga5

installed from testing:
libvirt0-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5
packages installed cleanly

launched libvirtd.service
# systemctl start libvirtd.service

Used virt-manager to create a VM and launched installation of mga5 using boot.iso

OK for mga5-32

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Comment 4 James Kerr 2016-07-08 09:25:29 CEST 
This is now validated
The Advisory needs to be uploaded to SVN
The packages can then be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:30:01 CEST

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 5 Mageia Robot 2016-07-08 21:51:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.