Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509858 (CVE-2014-0179) - <app-emulation/libvirt-1.2.5: XML Entity Expansion Information Disclosure and Denial of Service Vulnerability (LSN-2014-0003) (CVE-2014-{0179,5177})
Summary: <app-emulation/libvirt-1.2.5: XML Entity Expansion Information Disclosure and...
Status: RESOLVED FIXED
Alias: CVE-2014-0179
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/58449/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 519748
Blocks:
  Show dependency tree
 
Reported: 2014-05-08 15:36 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-08 15:36:02 UTC
From ${URL} :

Description

A vulnerability has been reported in libvirt, which can be exploited by malicious users to disclose 
potentially sensitive information or cause a DoS (Denial of Service) or by malicious people to cause a 
DoS.

The vulnerability is caused due to the library passing the "XML_PARSE_NOENT" flag to libxml2, which 
subsequently expands entities files when parsing XML files. This can be exploited to e.g. exhaust system 
resources or disclose the content of arbitrary files on the host via specially crafted XML files.

Successful exploitation without authentication requires to trick a user to send a specially crafted XML 
file to libvirt.

The vulnerability is reported in versions 0.7.5 through 1.2.4.


Solution:
Fixed in the source code repository.

Provided and/or discovered by:
The vendor credits Daniel P. Berrange and Richard Jones, Red Hat.

Original Advisory:
https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-06-22 18:08:05 UTC
This issue is fixed in libvirt 1.2.5 according to [0]: "LSN-2014-0003: Don't expand entities when parsing XML (Daniel P. Berrange)"

@maintainers: Please advise if libvirt 1.2.5 as existing in the current tree is ready for stabilization. 

References:
[0] https://www.redhat.com/archives/libvirt-announce/2014-June/msg00001.html
Comment 2 Agostino Sarubbo gentoo-dev 2014-08-10 09:36:46 UTC
Using in production for a while, no problems.


Arches, please test and mark stable:                                                                                                                                                
=app-emulation/libvirt-1.2.5
=dev-python/libvirt-python-1.2.5
Target keywords : "amd64 x86"
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:46:35 UTC
CVE-2014-5177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177):
  libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control
  is enabled, allows local users to read arbitrary files via a crafted XML
  document containing an XML external entity declaration in conjunction with
  an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML,
  (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5)
  virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML,
  (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10)
  virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12)
  virConnectDomainXMLToNative, (13) virSecretDefineXML, (14)
  virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16)
  virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18)
  virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to
  an XML External Entity (XXE) issue.  NOTE: this issue was SPLIT from
  CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
Comment 4 Agostino Sarubbo gentoo-dev 2014-08-12 15:08:16 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-12 15:25:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-08-17 04:55:10 UTC
CVE-2014-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0179):
  libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a
  denial of service (read block and hang) via a crafted XML document
  containing an XML external entity declaration in conjunction with an entity
  reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API
  method, related to an XML External Entity (XXE) issue.  NOTE: this issue was
  SPLIT per ADT3 due to different affected versions of some vectors.
  CVE-2014-5177 is used for other API methods.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-26 15:55:00 UTC
Maintainer(s), please drop the vulnerable version(s) so we can release the GLSA.

Added to existing GLSA Request
Comment 8 Matthias Maier gentoo-dev 2014-10-31 12:17:50 UTC
  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.1.3.4.ebuild,
  -libvirt-1.2.3.ebuild, -libvirt-1.2.5.ebuild, -libvirt-1.2.6.ebuild:
  remove old due to bug 524184 (CVE-2014-3633)

  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-python-1.2.3.ebuild,
  -libvirt-python-1.2.4.ebuild, -libvirt-python-1.2.5.ebuild,
  -libvirt-python-1.2.6.ebuild:
  synchronize with app-emulation/libvirt and drop old
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:48:45 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).