Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498534 (CVE-2014-1447) - <app-emulation/libvirt-{1.2.1,1.1.3.3}: Multiple Vulnerabilities (CVE-2013-6458,CVE-2014-{0028,1447})
Summary: <app-emulation/libvirt-{1.2.1,1.1.3.3}: Multiple Vulnerabilities (CVE-2013-64...
Status: RESOLVED FIXED
Alias: CVE-2014-1447
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-19 11:36 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-19 11:36:52 UTC
From ${URL} :

A race condition was found in the way libvirtd handled keepalive initialization requests when the 
connection is closed prior to establishing connection credentials.

A remote attacker could use this flaw to crash libvirtd (DoS).
                                                                          
Upstream patches:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=173c291
http://libvirt.org/git/?p=libvirt.git;a=commit;h=066c8ef


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2014-01-24 14:45:33 UTC
This and a few other CVEs have been fixed in tree and awaiting stabilization. Off the top of my head its:

CVE-2013-6436
CVE-2013-6457
CVE-2013-6458
CVE-2014-0028
CVE-2014-1447

The following versions would solve all the outstanding CVEs:

=app-emulation/libvirt-1.1.3.3
=app-emulation/libvirt-1.2.1
=dev-python/libvirt-python-1.2.1

x86 is actually vulnerable to a few more because we're still waiting on them for the last security bug.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-01-24 15:56:11 UTC
The following CVE's were fixed in Previous Security Bugs.
CVE-2013-6436 - Bug 496204
CVE-2013-6457 - Bug 496204

Current CVE's Are:
CVE-2013-6458
http://libvirt.org/git/?p=libvirt.git;a=commit;h=a7844b9ec2718dad9f5e5316cc0673e95098d812
https://bugzilla.redhat.com/show_bug.cgi?id=1048631

CVE-2014-0028
http://libvirt.org/git/?p=libvirt.git;a=commit;h=51afa9a255d7a073373ad4533eff58bd819890e8
https://bugzilla.redhat.com/show_bug.cgi?id=1048637

CVE-2014-1447


Maintainers, let us know if you are table to Stabilize the versions mentioned.
Comment 3 Agostino Sarubbo gentoo-dev 2014-01-25 18:16:55 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-25 18:17:09 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 toto 2014-01-26 12:20:36 UTC
  (app-emulation/libvirt-1.2.1::gentoo, ebuild scheduled for merge) conflicts with
    >=app-emulation/libvirt-0.7.0[python] required by (app-emulation/virtinst-0.600.4::gentoo, installed)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 10:09:32 UTC
CVE-2014-1447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1447):
  Race condition in the virNetServerClientStartKeepAlive function in libvirt
  before 1.2.1 allows remote attackers to cause a denial of service (libvirtd
  crash) by closing a connection before a keepalive response is sent.

CVE-2014-0028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0028):
  libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the
  domain:getattr and connect:search_domains restrictions in ACLs and obtain
  sensitive domain object information via a request to the (1)
  virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny
  functions in the event registration API.

CVE-2013-6458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6458):
  Multiple race conditions in the (1) virDomainBlockStats, (2)
  virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4)
  virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly
  verify that the disk is attached, which allows remote read-only attackers to
  cause a denial of service (libvirtd crash) via the
  virDomainDetachDeviceFlags command.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-02-05 04:46:21 UTC
Maintainer(s), Thank you for cleanup!
Comment 8 Sergey Popov gentoo-dev 2014-05-11 11:40:21 UTC
Added to existing GLSA request
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:48:23 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).