SUSE has issued an advisory on April 1: https://lwn.net/Articles/967956/ Mageia 9 is also affected. According to https://security-tracker.debian.org/tracker/CVE-2024-2494, the following commit solves the issue: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2
Status comment: (none) => Patch available from upstreamWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-2494Source RPM: (none) => libvirt-9.10.0-2.mga10.src.rpm
(In reply to Nicolas Salguero from comment #0) > According to https://security-tracker.debian.org/tracker/CVE-2024-2494, the > following commit solves the issue: > https://gitlab.com/libvirt/libvirt/-/commit/ > 8a3f8d957507c1f8223fdcf25a3ff885b15557f2 Indeed it looks like it. Well researched. Assigning to tv who mostly nurses libvirt.
Assignee: bugsquad => thierry.vignaud
Suggested advisory: ======================== The updated packages fix a security vulnerability: A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash. (CVE-2024-2494) References: https://lwn.net/Articles/967956/ ======================== Updated packages in core/updates_testing: ======================== lib(64)nss_libvirt2-9.6.0-1.1.mga9 lib(64)virt0-9.6.0-1.1.mga9 lib(64)virt-devel-9.6.0-1.1.mga9 libvirt-client-qemu-9.6.0-1.1.mga9 libvirt-docs-9.6.0-1.1.mga9 libvirt-utils-9.6.0-1.1.mga9 mingw32-libvirt-9.6.0-1.1.mga9 mingw64-libvirt-9.6.0-1.1.mga9 wireshark-libvirt-9.6.0-1.1.mga9 from SRPM: libvirt-9.6.0-1.1.mga9.src.rpm
Assignee: thierry.vignaud => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9Status comment: Patch available from upstream => (none)Source RPM: libvirt-9.10.0-2.mga10.src.rpm => libvirt-9.6.0-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
CC: (none) => mageia
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing libvirt-utils-9.6.0-1.1.mga9.x86_64.rpm lib64virt0-9.6.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64virt0 ################################################################################################## 2/2: libvirt-utils ################################################################################################## 1/2: removing libvirt-utils-9.6.0-1.mga9.x86_64 ################################################################################################## 2/2: removing lib64virt0-9.6.0-1.mga9.x86_64 ################################################################################################## Test gnome-boxes that requires libvirt-utils and libvirt-utils also requires lib64virt0 Update the host system mageia 9 x86_64 also , the updates include kernel 6.6.20 so reboot the VM All that worked before in the VM still works after the update
Installed and tested without issue. Tested: - virsh; - virt-manager; - remote (ssh) and local; - qemu:///system; - qemu:///session; - integration with systemd-machined; - virtio video; - SPICE viewer; - VNC viewer; - QEMU/KVM nested inside Mageia 9; Tested guests: - Android x86 9.0; - FreeBSD 14; - Fedora 39; - Kali Linux; - Mageia 9 x86_64; - Mageia 9 x86_64 with PCI pass through of GPU Radeon RX 6500 XT; - Mageia 9 aarch64; - Mageia Cauldron; - memtest86; - System Rescue 11.00 - Tail 6; - Windows 10; - Windows 11; - Windows Server 2016 Datacenter; System: Mageia 9, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep libvirt python3-libvirt-9.1.0-1.mga9 libvirt-utils-9.6.0-1.1.mga9
CC: (none) => andrewsfarm
As the test of PC LX is a few wider than mine give OK
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0114.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED