From ${URL} : Description A vulnerability has been reported in libvirt, which can be exploited by malicious users to disclose potentially sensitive information or cause a DoS (Denial of Service) or by malicious people to cause a DoS. The vulnerability is caused due to the library passing the "XML_PARSE_NOENT" flag to libxml2, which subsequently expands entities files when parsing XML files. This can be exploited to e.g. exhaust system resources or disclose the content of arbitrary files on the host via specially crafted XML files. Successful exploitation without authentication requires to trick a user to send a specially crafted XML file to libvirt. The vulnerability is reported in versions 0.7.5 through 1.2.4. Solution: Fixed in the source code repository. Provided and/or discovered by: The vendor credits Daniel P. Berrange and Richard Jones, Red Hat. Original Advisory: https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This issue is fixed in libvirt 1.2.5 according to [0]: "LSN-2014-0003: Don't expand entities when parsing XML (Daniel P. Berrange)" @maintainers: Please advise if libvirt 1.2.5 as existing in the current tree is ready for stabilization. References: [0] https://www.redhat.com/archives/libvirt-announce/2014-June/msg00001.html
Using in production for a while, no problems. Arches, please test and mark stable: =app-emulation/libvirt-1.2.5 =dev-python/libvirt-python-1.2.5 Target keywords : "amd64 x86"
CVE-2014-5177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177): libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179): libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods.
Maintainer(s), please drop the vulnerable version(s) so we can release the GLSA. Added to existing GLSA Request
31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.1.3.4.ebuild, -libvirt-1.2.3.ebuild, -libvirt-1.2.5.ebuild, -libvirt-1.2.6.ebuild: remove old due to bug 524184 (CVE-2014-3633) 31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-python-1.2.3.ebuild, -libvirt-python-1.2.4.ebuild, -libvirt-python-1.2.5.ebuild, -libvirt-python-1.2.6.ebuild: synchronize with app-emulation/libvirt and drop old
This issue was resolved and addressed in GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).