Bugzilla – Bug 910862
VUL-0: CVE-2014-8136: libvirt: local denial of service in qemu/qemu_driver.c
Last modified: 2016-04-27 19:33:28 UTC
rh#1176176 Common Vulnerabilities and Exposures assigned an identifier CVE-2014-8136 to the following vulnerability: Name: CVE-2014-8136 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136 Assigned: 20141010 Reference: http://secunia.com/advisories/61111 The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors. Upstream commit that addresses this: http://libvirt.org/git/?p=libvirt.git;a=commit;h=2bdcd29c713dfedd813c89f56ae98f6f3898313d References: https://bugzilla.redhat.com/show_bug.cgi?id=1176176 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136
bugbot adjusting priority
Affects openSUSE13.1, openSUSE13.2, and SLE12. Factory is fixed by the update to libvirt 1.2.11.
I've submitted a libvirt package containing the fix for openSUSE13.1 (MR#266111) and openSUSE13.2 (MR#266112). Fix for SLE12 is queued in Devel:Virt:SLE-12/libvirt, but there is already a running update for SLE12. Security, do you want me to resubmit for SLE12, or defer this until the next update?
This is an autogenerated message for OBS integration: This bug (910862) was mentioned in https://build.opensuse.org/request/show/266111 13.1 / libvirt
QA has not started in SLE12, so you can do a incremental submit and we can merge it.
Thanks Marcus. Submitted MR#47743 to SUSE:SLE-12:Update. Handing bug over to security-team.
openSUSE-SU-2015:0006-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910862 CVE References: CVE-2014-8136 Sources used: openSUSE 13.1 (src): libvirt-1.1.2-2.44.1
openSUSE-SU-2015:0008-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 904432,909274,910860,910862 CVE References: CVE-2014-8131,CVE-2014-8135,CVE-2014-8136 Sources used: openSUSE 13.2 (src): libvirt-1.2.9-8.1
releasedc
SUSE-SU-2015:0241-1: An update that solves three vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 891936,899334,899484,900587,902976,903756,904176,904426,904432,909828,910862,911737 CVE References: CVE-2014-3657,CVE-2014-7823,CVE-2014-8136 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libvirt-1.2.5-21.1 SUSE Linux Enterprise Software Development Kit 12 (src): libvirt-1.2.5-21.1 SUSE Linux Enterprise Server 12 (src): libvirt-1.2.5-21.1 SUSE Linux Enterprise Desktop 12 (src): libvirt-1.2.5-21.1