Bugzilla – Bug 854486
VUL-0: libvirt: CVE-2013-6436: Fix crash in LXC memtune code
Last modified: 2014-03-24 08:36:01 UTC
EMBARGOED: Theres upcoming fix for libvirt lxc code. Dunno if the patches they sent around are final. Do you have git access to them? From libvirt list: First crash (DoS) seems like a security problem due to the fact that it can me caused even with a read-only connection. Second one is simply a DoS for everytone by a user who has only ACL for SetMemoryParameters. Martin Kletzander (2): security: fix crash in lxcDomainGetMemoryParameters security: fix crash in lxcDomainSetMemoryParameters src/lxc/lxc_driver.c | 153 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 130 insertions(+), 23 deletions(-)
bugbot adjusting priority
FYI, Friday Dec 20 is the scheduled embargo lift date.
Backported both patches on the mailing list to 13.1 and SP3. The SP3 backport was a bit tricky and I've committed it to IBS Devel:Virt:SLE-11-SP3 for broader testing. The 13.1 backport was trivial and I'm holding it in a private repo until the embargo lifts.
The SWAMPID for this issue is 55482. This issue was rated as moderate. Please submit fixed packages until 2013-12-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Patches have been added to the affected libvirt packages and requests submitted: SLE11 SP3: SR#30366 openSUSE13.1: MR#211903 Factory: SR#211904 Nothing left for me to do here, reassigning to the security team.
This is an autogenerated message for OBS integration: This bug (854486) was mentioned in https://build.opensuse.org/request/show/211904 Factory / libvirt
went public
openSUSE-SU-2014:0010-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 854144,854486,855239 CVE References: CVE-2013-6436 Sources used: openSUSE 13.1 (src): libvirt-1.1.2-2.14.2
Hmm, come to think of it, we don't even support libvirt-lxc in SLE11. It is provided, and folks are using it, but only the sourceforge LXC tools are supported in SLE11. This will change in SLE12, e.g. see FATE#316352.
Tony, is apparmor enabled? If so, can you disable it and see if that helps?
Hi Jim, It could work after I disabled apparmor! Thanks
Good to know, but I don't plan on adding /usr/lib/libvirt to the libvirtd apparmor profile. No one should be using this stuff on a 32-bit host. Why are you not testing on a 64-bit system? That is what customers will be using. Seems like an invalid test to me.
It was tested on both 32-bit and 64-bit system. The behavior of both was the same. I just posted info about 32-bit there. Thanks
.
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0162-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 841720,842016,854486 CVE References: CVE-2013-6436 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libvirt-1.0.5.8-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): libvirt-1.0.5.8-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libvirt-1.0.5.8-0.7.1
was released