-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:115 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libvirt Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libvirt packages fix security vulnerabilities: The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633). A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive (CVE-2014-3657). Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823). The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors (CVE-2014-8136). The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file (CVE-2015-0236). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0236 http://advisories.mageia.org/MGASA-2014-0243.html http://advisories.mageia.org/MGASA-2014-0401.html http://advisories.mageia.org/MGASA-2014-0470.html http://advisories.mageia.org/MGASA-2015-0002.html http://advisories.mageia.org/MGASA-2015-0046.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 5313ea3546fbd0a7d405763c9e24663a mbs2/x86_64/lib64virt0-1.2.1-2.1.mbs2.x86_64.rpm c82b1a481cb77c15bf95e59dfba4afda mbs2/x86_64/lib64virt-devel-1.2.1-2.1.mbs2.x86_64.rpm ecf57a179ebe28c087a3f524003b85a3 mbs2/x86_64/libvirt-utils-1.2.1-2.1.mbs2.x86_64.rpm 260c157e422046f855924b0242d34240 mbs2/SRPMS/libvirt-1.2.1-2.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF7aImqjQ0CJFipgRArwYAKDZ6tugHK8st/ya5LrtR3gX2ZrnywCdHyWm C22Z3ojDBaFHLrr1SEQmuMc= =bnrU -----END PGP SIGNATURE-----