Bug 24757 - libvirt new security issues CVE-2019-3886, CVE-2019-10132, CVE-2019-1016[1678]
Summary: libvirt new security issues CVE-2019-3886, CVE-2019-10132, CVE-2019-1016[1678]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-03 20:48 CEST by David Walser
Modified: 2019-11-29 14:10 CET (History)
3 users (show)

See Also:
Source RPM: libvirt-5.2.0-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-05-03 20:48:51 CEST
openSUSE has issued an advisory on April 29:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00207.html

Mageia 6 is also affected.
David Walser 2019-05-03 20:48:56 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:28:01 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing tv, who is the de-facto maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, thierry.vignaud

Comment 2 David Walser 2019-05-31 19:25:53 CEST
RedHat has issued an advisory on May 23:
https://access.redhat.com/errata/RHSA-2019:1264

Mageia 6 is not affected by this issue (Mageia 7 is).

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Severity: normal => critical
Summary: libvirt new security issue CVE-2019-3886 => libvirt new security issues CVE-2019-3886 and CVE-2019-10132

Comment 3 David Walser 2019-06-24 15:46:13 CEST
RedHat has issued an advisory on June 20:
https://access.redhat.com/errata/RHSA-2019:1579

The issues are fixed in 4.10.1 and 5.4.1.

Mageia 6 is also affected.

Summary: libvirt new security issues CVE-2019-3886 and CVE-2019-10132 => libvirt new security issues CVE-2019-3886, CVE-2019-10132, CVE-2019-1016[1678]

Comment 4 David Walser 2019-08-11 21:28:33 CEST
This Ubuntu advisory (from May 15), related to an intel-microcode update, might also be relevant:
https://usn.ubuntu.com/3985-1/
Comment 5 David Walser 2019-08-11 22:34:23 CEST
Same with this Debian advisory from June 22:
https://www.debian.org/security/2019/dsa-4469
Comment 6 David Walser 2019-08-11 22:56:32 CEST
Ubuntu advisory for the two CVEs from June 19:
https://usn.ubuntu.com/4021-1/
Comment 7 David Walser 2019-08-11 23:23:04 CEST
Ubuntu advisory for the latter CVEs from July 8:
https://usn.ubuntu.com/4047-1/
Comment 8 David Walser 2019-11-25 22:58:00 CET
Not sure if we've addressed this set of Intel speculative execution issues:
https://lists.opensuse.org/opensuse-updates/2019-06/msg00023.html
Comment 9 Thierry Vignaud 2019-11-27 16:25:59 CET
libvirt-5.5.0 has been pushed to core/updates_testing:

- 5.5.0 security update -- https://libvirt.org/news.html#v5.5.0
  o api: Prevent access to several APIs over read-only connections
    Certain APIs give root-equivalent access to the host, and as such should be
    limited to privileged users. CVE-2019-10161, CVE-2019-10166, CVE-2019-10167,
    CVE-2019-10168. 
- it also contains the security fixes from 5.4.0:
  o cpu: Introduce support for the md-clear CPUID bit
    This bit is set when microcode provides the mechanism to invoke a flush of
    various exploitable CPU buffers by invoking the x86 VERW instruction.
    CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091. 
  o Restrict user access to virt-admin, virtlogd and virtlockd
    The intended users for these facilities are the root user and the libvirtd
    service respectively, but these restrictions were not enforced correctly.
    CVE-2019-10132.
Comment 10 David Walser 2019-11-27 18:49:35 CET
Advisory:
========================

Updated libvirt packages fix security vulnerabilities:

An information leak which allowed to retrieve the guest hostname under
readonly mode (CVE-2019-3886).

Wrong permissions in systemd admin-sock due to missing SocketMode parameter
(CVE-2019-10132).

Arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
(CVE-2019-10161).

virDomainManagedSaveDefineXML API exposed to readonly clients
(CVE-2019-10166).

Arbitrary command execution via virConnectGetDomainCapabilities API
(CVE-2019-10167).

Arbitrary command execution via virConnectBaselineHypervisorCPU and
virConnectCompareHypervisorCPU APIs (CVE-2019-10168).

Also, this update contains the libvirt adjustments, that pass through the new
'md-clear' CPU flag, to help address Intel CPU speculative execution flaws.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3886
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10168
https://lists.opensuse.org/opensuse-updates/2019-04/msg00207.html
https://access.redhat.com/errata/RHSA-2019:1264
https://access.redhat.com/errata/RHSA-2019:1579
https://lists.opensuse.org/opensuse-updates/2019-06/msg00023.html
========================

Updated packages in core/updates_testing:
========================
libvirt-docs-5.5.0-1.mga7
libvirt0-5.5.0-1.mga7
libvirt-devel-5.5.0-1.mga7
libvirt-utils-5.5.0-1.mga7
wireshark-libvirt-5.5.0-1.mga7
libnss_libvirt2-5.5.0-1.mga7

from libvirt-5.5.0-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 11 Herman Viaene 2019-11-29 11:19:34 CET
MGA7-64 Plasma on Lenovo B50
No installation issues, just noted that in the dependencies dnsmasq is included, which makes bind being deinstalled.
Ref to bug 21826 Comment 6 for testing. So installed virt-manager, and run this as a normal user.
No feedback on CLI, application opens which lists QEMU/KVM as a virtual machine, and I can view the details of it.
I can assign a file as storage , but I don't have enough space available on this test partition to install a complete virtual machine.
If that is judged enough testing, I will not object OK'ing.

CC: (none) => herman.viaene

Comment 12 Herman Viaene 2019-11-29 11:34:47 CET
Side note: I wish there was more consistency in the naming of the packages names, some are libvirt, others lib64virt.
Comment 13 David Walser 2019-11-29 14:10:01 CET
libvirt is the name of the software, and it's an unfortunate choice of name.  Things named lib64* are libraries.  What would actually be better is if we didn't use the unnecessary lib64 prefix for 64-bit libraries.  Maybe someday...

Note You need to log in before you can comment on or make changes to this bug.