[v2.7] libvirt: multiple issues (CVE-2013-6456 CVE-2014-0179)
CVE-2013-6456:
The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows
local users to (1) delete arbitrary host devices via the
virDomainDeviceDettach API and a symlink attack on /dev in the
container; (2) create arbitrary nodes (mknod) via the
virDomainDeviceAttach API and a symlink attack on /dev in the container;
and cause a denial of service (shutdown or reboot host OS) via the (3)
virDomainShutdown or (4) virDomainReboot API and a symlink attack on
/dev/initctl in the container, related to “paths under /proc/$PID/root”
and the virInitctlSetRunLevel function.
•MISC: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394
•CONFIRM: http://libvirt.org/git/?p=libvirt.git;a=commit;h=5fc590ad9f4
•CONFIRM: http://libvirt.org/news.html
•CONFIRM: http://security.libvirt.org/2013/0018.html
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1045643
•FEDORA:FEDORA-2014-2864
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129199.html
•SUSE:openSUSE-SU-2014:0593
•URL: http://lists.opensuse.org/opensuse-updates/2014-05/msg00004.html
•BID:65743
•URL: http://www.securityfocus.com/bid/65743
•SECUNIA:56187
•URL: http://secunia.com/advisories/56187
•SECUNIA:56215
•URL: http://secunia.com/advisories/56215
CVE-2014-0179:
When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag to
libxml2 which instructs it to expand all entities in the XML document
during parsing. This can be used to insert the contents of host OS files
in the resulting parsed content. Although the flaw was introduced in
0.0.5, it was dormant having no ill effects, since the APIs involved all
required the user to authenticate with privileges equivalent to root. In
version 0.7.5 or later the virConnectCompareCPU / virConnectBaselineCPU
methods activate the dormant bug, allowing for denial of service. In
version 1.0.0 or later, if the admin opts in to using the new fine
grained access control feature, there is potential for unprivileged
information disclosure.
References:
http://security.libvirt.org/2014/0003.html
CONFIRM:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=d6b27d3e4c40946efa79e91d134616b41b1666c4;hp=96eb7523e4a20605cc498d221c20ca6f18f5d3bb
(from redmine: issue id 2955, created on 2014-05-23, closed on 2014-06-10)
- Relations:
- parent #2952 (closed)
- Changesets:
- Revision 0cfa1ecb on 2014-05-26T15:48:29Z:
main/libvirt: security fix (CVE-2013-6456, CVE-2014-0179). Fixes #2955