Summary: | <app-emulation/libvirt-6.7.0: Unintended access to /dev/mapper/control (CVE-2020-14339) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | tamiko, virtualization |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=737096 | ||
Whiteboard: | C1 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 746119 | ||
Bug Blocks: |
Description
Sam James
2020-09-02 03:01:55 UTC
In 6.6.0's release notes: " virdevmapper: Don't use libdevmapper to obtain dependencies When building domain's private /dev in a namespace, libdevmapper was consulted for getting full dependency tree of domain's disks. However, this meant that libdevmapper opened /dev/mapper/control which wasn't closed and was leaked to QEMU. CVE-2020-14339" Please bump to 6.6.0. commit 21b2340aff308620f996e7de4123908050f92fdd Author: Jonathan Davies <jpds@protonmail.com> Date: Sat Sep 26 22:10:34 2020 +0000 app-emulation/libvirt: Version updated to 6.7.0. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Matthias Maier <tamiko@gentoo.org> Arches, please stabilize libvirt-6.7.0 amd64 done x86 done all arches done Please cleanup. Thanks! Resetting sanity check; keywords are not fully specified and arches are not CC-ed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63a74aaa80159c39749f74edac9b9c77a766c98b commit 63a74aaa80159c39749f74edac9b9c77a766c98b Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2020-10-07 15:42:15 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2020-10-07 15:42:15 +0000 app-emulation/libvirt: drop vulnerable Bug: https://bugs.gentoo.org/739948 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/libvirt/Manifest | 2 - .../files/libvirt-6.0.0-do-not-use-sysconf.patch | 150 --------- .../libvirt-6.1.0-fix-paths-for-apparmor.patch | 70 ---- .../files/libvirt-6.5.0-do-not-use-sysconfig.patch | 245 -------------- .../libvirt-6.5.0-fix-paths-for-apparmor.patch | 82 ----- app-emulation/libvirt/libvirt-6.2.0-r2.ebuild | 356 --------------------- app-emulation/libvirt/libvirt-6.5.0-r1.ebuild | 355 -------------------- 7 files changed, 1260 deletions(-) Unable to check for sanity:
> no match for package: app-emulation/libvirt-6.7.0
This issue was resolved and addressed in GLSA 202101-22 at https://security.gentoo.org/glsa/202101-22 by GLSA coordinator Sam James (sam_c). |