Summary: | <app-emulation/libvirt-1.2.5: XML Entity Expansion Information Disclosure and Denial of Service Vulnerability (LSN-2014-0003) (CVE-2014-{0179,5177}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cardoe, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/58449/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 519748 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-05-08 15:36:02 UTC
This issue is fixed in libvirt 1.2.5 according to [0]: "LSN-2014-0003: Don't expand entities when parsing XML (Daniel P. Berrange)" @maintainers: Please advise if libvirt 1.2.5 as existing in the current tree is ready for stabilization. References: [0] https://www.redhat.com/archives/libvirt-announce/2014-June/msg00001.html Using in production for a while, no problems. Arches, please test and mark stable: =app-emulation/libvirt-1.2.5 =dev-python/libvirt-python-1.2.5 Target keywords : "amd64 x86" CVE-2014-5177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177): libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. CVE-2014-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179): libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. Maintainer(s), please drop the vulnerable version(s) so we can release the GLSA. Added to existing GLSA Request 31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.1.3.4.ebuild, -libvirt-1.2.3.ebuild, -libvirt-1.2.5.ebuild, -libvirt-1.2.6.ebuild: remove old due to bug 524184 (CVE-2014-3633) 31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-python-1.2.3.ebuild, -libvirt-python-1.2.4.ebuild, -libvirt-python-1.2.5.ebuild, -libvirt-python-1.2.6.ebuild: synchronize with app-emulation/libvirt and drop old This issue was resolved and addressed in GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |