Bugzilla – Bug 873705
VUL-0: CVE-2014-0179: libvirt: Unsafe parsing of XML documents allows arbitrary file read
Last modified: 2014-08-05 09:10:34 UTC
EMBARGOED via direkt contact: Libvirt Security Notice: LSN-2014-0003 ====================================== Summary: Unsafe parsing of XML documents allows arbitrary file read Reported on: 20140411 Published on: Fixed on: Reported by: Daniel P. Berrange <berrange@redhat.com> Richard Jones <rjones@redhat.com> Patched by: Daniel P. Berrange <berrange@redhat.com> See also: CVE-XXXX-XXXX Description ----------- When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag to libxml2 which instructs it to expand all entities in the XML document during parsing. This can be used to insert the contents of host OS files in the resulting parsed content. Although the flag was mistakenly introduced in version 0.0.5, the usage only becomes a vulnerablity once the fine grained access control mechanism is introduced in version 1.0.0. Impact ------ A malicious user can pass libvirt an XML document which contains an entity that points to an arbitrary file on the host. When libvirt parses this document, it will insert the contents of that host file, which could allow the user to read the contents of files that they otherwise do not have permission to view. It also has the potential to cause a denial of service if the entity points to a named pipe with no writer connected. If the libvirt installation is not using fine grained access control then any user of the affected APIs is already considered to have privileges equivalent to root. If the libvirt installation is using fine grained access control, then the following APIs can be considered vulnerable: virDomainDefineXML, virNetworkCreateXML, virNetworkDefineXML, virStoragePoolCreateXML, virStoragePoolDefineXML, virStorageVolCreateXML, virDomainCreateXML, virNodeDeviceCreateXML, virInterfaceDefineXML, virStorageVolCreateXMLFrom, virConnectDomainXMLFromNative, virConnectDomainXMLToNative, virSecretDefineXML, virNWFilterDefineXML, virDomainSnapshotCreateXML, virDomainSaveImageDefineXML, virDomainCreateXMLWithFiles, virConnectCompareCPU, virConnectBaselineCPU. Workaround ---------- Stop use of the fine grained access control mechanism, and restrict access to the libvirt read-write TCP/UNIX sockets to only trusted users. Simply denying access to the affected APIs in the access control policy is insufficient to mitigate the bug, since the XML document typically needs to be parsed before the access control check is applied in order to extra the UUID/name of the object to check. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.1.0-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.1.1-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.1.2-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.1.4-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.2.0-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.2.1-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: Branch: v1.2.2-maint Fixed in: Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: The suggested fix was also attached: Subject: [PATCH] LSN-2014-0003: Don't expand entities when parsing XML If the XML_PARSE_NOENT flag is passed to libxml2, then any entities in the input document will be fully expanded. This allows the user to read arbitrary files on the host machine by creating an entity pointing to a local file. Removing the XML_PARSE_NOENT flag means that any entities are left unchanged by the parser, or expanded to "" by the XPath APIs. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/util/virxml.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/virxml.c b/src/util/virxml.c index 9f00f62..34af64a 100644 --- a/src/util/virxml.c +++ b/src/util/virxml.c @@ -746,11 +746,11 @@ virXMLParseHelper(int domcode, if (filename) { xml = xmlCtxtReadFile(pctxt, filename, NULL, - XML_PARSE_NOENT | XML_PARSE_NONET | + XML_PARSE_NONET | XML_PARSE_NOWARNING); } else { xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, - XML_PARSE_NOENT | XML_PARSE_NONET | + XML_PARSE_NONET | XML_PARSE_NOWARNING); } if (!xml) -- 1.9.0 CVE-2014-0179 was assigned to this issue.
bugbot adjusting priority
The SWAMPID for this issue is 57212. This issue was rated as moderate. Please submit fixed packages until 2014-05-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
I've submitted libvirt for all affected products: openSUSE 12.3 - SR#232886 openSUSE 13.1 - SR#232888 openSUSE Factory - SR#232966 SLES11 SP3 - SR#37540 I'll also include the fix in SLES12 beta7. AFAIK, I'm done here - passing to security team. Thanks!
This is an autogenerated message for OBS integration: This bug (873705) was mentioned in https://build.opensuse.org/request/show/232966 Factory / libvirt
openSUSE-SU-2014:0650-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 873705 CVE References: CVE-2014-0179 Sources used: openSUSE 12.3 (src): libvirt-1.0.2-1.18.1
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Update was release for 13.1, but it wasn't mentioned in here Announcement ID: openSUSE-SU-2014:0674-1 Rating: moderate References: #873705 #875694 Cross-References: CVE-2014-0179 Affected Products: openSUSE 13.1
SUSE-SU-2014:0785-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 857490,873705 CVE References: CVE-2013-6456,CVE-2014-0179 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libvirt-1.0.5.9-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): libvirt-1.0.5.9-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libvirt-1.0.5.9-0.9.1
There is an additional CVE for this issue that was split from CVE-2014-0179. This comment is only for reference. Vulnerability Details : CVE-2014-5177 http://www.cvedetails.com/cve/CVE-2014-5177 libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.