Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 509858 (CVE-2014-0179)

Summary: <app-emulation/libvirt-1.2.5: XML Entity Expansion Information Disclosure and Denial of Service Vulnerability (LSN-2014-0003) (CVE-2014-{0179,5177})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cardoe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/58449/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 519748    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-05-08 15:36:02 UTC 
From ${URL} :

Description

A vulnerability has been reported in libvirt, which can be exploited by malicious users to disclose 
potentially sensitive information or cause a DoS (Denial of Service) or by malicious people to cause a 
DoS.

The vulnerability is caused due to the library passing the "XML_PARSE_NOENT" flag to libxml2, which 
subsequently expands entities files when parsing XML files. This can be exploited to e.g. exhaust system 
resources or disclose the content of arbitrary files on the host via specially crafted XML files.

Successful exploitation without authentication requires to trick a user to send a specially crafted XML 
file to libvirt.

The vulnerability is reported in versions 0.7.5 through 1.2.4.


Solution:
Fixed in the source code repository.

Provided and/or discovered by:
The vendor credits Daniel P. Berrange and Richard Jones, Red Hat.

Original Advisory:
https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-22 18:08:05 UTC 
This issue is fixed in libvirt 1.2.5 according to [0]: "LSN-2014-0003: Don't expand entities when parsing XML (Daniel P. Berrange)"

@maintainers: Please advise if libvirt 1.2.5 as existing in the current tree is ready for stabilization. 

References:
[0] https://www.redhat.com/archives/libvirt-announce/2014-June/msg00001.html
Comment 2 Agostino Sarubbo gentoo-dev 2014-08-10 09:36:46 UTC 
Using in production for a while, no problems.


Arches, please test and mark stable:                                                                                                                                                
=app-emulation/libvirt-1.2.5
=dev-python/libvirt-python-1.2.5
Target keywords : "amd64 x86"
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:46:35 UTC 
CVE-2014-5177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177):
  libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control
  is enabled, allows local users to read arbitrary files via a crafted XML
  document containing an XML external entity declaration in conjunction with
  an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML,
  (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5)
  virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML,
  (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10)
  virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12)
  virConnectDomainXMLToNative, (13) virSecretDefineXML, (14)
  virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16)
  virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18)
  virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to
  an XML External Entity (XXE) issue.  NOTE: this issue was SPLIT from
  CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
Comment 4 Agostino Sarubbo gentoo-dev 2014-08-12 15:08:16 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-12 15:25:33 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-08-17 04:55:10 UTC 
CVE-2014-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179):
  libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a
  denial of service (read block and hang) via a crafted XML document
  containing an XML external entity declaration in conjunction with an entity
  reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API
  method, related to an XML External Entity (XXE) issue.  NOTE: this issue was
  SPLIT per ADT3 due to different affected versions of some vectors.
  CVE-2014-5177 is used for other API methods.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-08-26 15:55:00 UTC 
Maintainer(s), please drop the vulnerable version(s) so we can release the GLSA.

Added to existing GLSA Request
Comment 8 Matthias Maier gentoo-dev 2014-10-31 12:17:50 UTC 
  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.1.3.4.ebuild,
  -libvirt-1.2.3.ebuild, -libvirt-1.2.5.ebuild, -libvirt-1.2.6.ebuild:
  remove old due to bug 524184 (CVE-2014-3633)

  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-python-1.2.3.ebuild,
  -libvirt-python-1.2.4.ebuild, -libvirt-python-1.2.5.ebuild,
  -libvirt-python-1.2.6.ebuild:
  synchronize with app-emulation/libvirt and drop old
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:48:45 UTC 
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).