24528 – libvirt new security issue CVE-2019-3840

Bug 24528 - libvirt new security issue CVE-2019-3840

Summary: libvirt new security issue CVE-2019-3840

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-03-18 23:18 CET by David Walser
Modified:	2019-04-10 23:26 CEST (History)
CC List:	9 users (show)

See Also:
Source RPM:	libvirt-3.10.0-1.4.mga6.src.rpm
CVE:	CVE-2019-3840
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-03-18 23:18:43 CET

Ubuntu has issued an advisory on March 14:
https://usn.ubuntu.com/3909-1/

The issue is fixed upstream in 5.0.0.

Comment 1 Marja Van Waes 2019-03-19 13:09:58 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => mageia, marja11, mrambo, rverschelde, thierry.vignaud

Comment 2 Nicolas Salguero 2019-03-20 11:47:17 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

NULL pointer dereference after running qemuAgentCommand in qemuAgentGetInterfaces function. (CVE-2019-3840)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3840
https://usn.ubuntu.com/3909-1/
========================

Updated packages in core/updates_testing:
========================
libvirt-docs-3.10.0-1.5.mga6
lib(64)virt0-3.10.0-1.5.mga6
lib(64)virt-devel-3.10.0-1.5.mga6
libvirt-utils-3.10.0-1.5.mga6
wireshark-libvirt-3.10.0-1.5.mga6

from SRPMS:
libvirt-3.10.0-1.5.mga6.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-3840

Comment 3 Ulrich Beckmann 2019-03-28 14:44:30 CET

Just cloned and installed 2 VMs (Mga 6 Plasma, Mga 6 Gnome) under Qemu/KVM.
Display: Spice, Video model: Virtio, Network Bridge: enp14s0: macvtap.

No regression found.

Installed Packages
lib64virt0.x86_64                                                             3.10.0-1.5.mga6                                                       @updates_testing-x86_64
libvirt-utils.x86_64                                                          3.10.0-1.5.mga6                                                       @updates_testing-x86_64
Available Packages
lib64virt-devel.x86_64                                                        3.10.0-1.5.mga6                                                       updates_testing-x86_64
libvirt-docs.x86_64                                                           3.10.0-1.5.mga6                                                       updates_testing-x86_64
wireshark-libvirt.x86_64                                                      3.10.0-1.5.mga6                                                       updates_testing-x86_64


Ulrich

Whiteboard: (none) => MGA6-64-OK
CC: (none) => bequimao.de

Comment 4 Ulrich Beckmann 2019-04-04 16:39:20 CEST

(In reply to Nicolas Salguero from comment #2)
> Suggested advisory:
> ========================
> 
> The updated packages fix a security vulnerability:
> 
> NULL pointer dereference after running qemuAgentCommand in
> qemuAgentGetInterfaces function. (CVE-2019-3840)
> 
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3840
> https://usn.ubuntu.com/3909-1/
> ========================

As there are no other takers, I validate the update myself.
Advisory as suggested.

Ulrich

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Dave Hodgins 2019-04-10 21:20:17 CEST

(In reply to Ulrich Beckmann from comment #4)
> As there are no other takers, I validate the update myself.
> Advisory as suggested.

Thanks. Please note though, that the advisory keyword should only be added when
the advisory has been committed to svn, as I've now done for this bug report.
http://svnweb.mageia.org/advisories/24528.adv?view=markup

When the advisory keyword has been added, an asterisk is added after the bug
number in http://madb.mageia.org/tools/updates
Adding the keyword before the advisory has been committed to svn causes a delay,
as I or others that can commit advisories to svn think it's already been done.

The procedure used to push updates from the testing repo to the updates repo
uses the advisory from svn to select which source rpm packages to include in
the move.

CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2019-04-10 23:26:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0138.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.