Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398355 (CVE-2011-4600) - <app-emulation/libvirt-0.9.10-r4: "bridge" Forward Mode Firewall Rules Weakness (CVE-2011-4600)
Summary: <app-emulation/libvirt-0.9.10-r4: "bridge" Forward Mode Firewall Rules Weakne...
Status: RESOLVED FIXED
Alias: CVE-2011-4600
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47463/
Whiteboard: C4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-10 10:47 UTC by Agostino Sarubbo
Modified: 2012-03-07 13:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-10 10:47:06 UTC 
From secunia security advisory at $URL:

Description:
The weakness is caused due to libvirt incorrectly inserting certain firewall rules, which can lead to unintended access to ports 53 and 67.

Successful exploitation requires that a libvirt network with "bridge" forward mode is defined and started and that libvirtd is restarted.

The weakness is reported in version 0.9.4 through 0.9.8.

Solution:
Update to version 0.9.9.
Comment 1 Agostino Sarubbo gentoo-dev 2012-01-10 10:48:34 UTC 
@Maintainer:

this vulnerability seems happen with a not default configuration, if yes, please tell me and I'll provide to change severity level. TIA
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2012-02-09 19:47:14 UTC 
Yes, if USE=virt-network is setup and libvirt is configured to generate your bridge, which isn't the method that Gentoo uses or recommends by default, then you are vulnerable.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-20 22:39:28 UTC 
@cardoe, virtualization: I see =app-emulation/libvirt-0.9.10-r2 in the tree. Can we go for stabilization?
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2012-03-05 23:38:40 UTC 
Arches: please stabilize 0.9.10-r4

target keywords: amd64 x86
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2012-03-07 12:28:25 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-03-07 12:54:59 UTC 
amd64 stable