Synopsis:          Low: libvirt security and bug fix update
Advisory ID:       SLSA-2015:0008-1
Issue Date:        2015-01-05
CVE Numbers:       CVE-2014-7823
--

It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the
QEMU driver implementation of the virDomainGetXMLDesc() function could
bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote
attacker able to establish a read-only connection to libvirtd could use
this flaw to leak certain limited information from the domain XML data.
(CVE-2014-7823)

This update also fixes the following bugs:

* In Scientific Linux 6, libvirt relies on the QEMU emulator to supply the
error message when an active commit is attempted. However, with Scientific
Linux 7, QEMU added support for an active commit, but an additional
interaction from libvirt to fully enable active commits is still missing.
As a consequence, attempts to perform an active commit caused libvirt to
become unresponsive. With this update, libvirt has been fixed to detect an
active commit by itself, and now properly declares the feature as
unsupported. As a result, libvirt no longer hangs when an active commit is
attempted and instead produces an error message.

* Prior to this update, the libvirt API did not properly check whether a
Discretionary Access Control (DAC) security label is non-NULL before
trying to parse user/group ownership from it. In addition, the DAC
security label of a transient domain that had just finished migrating to
another host is in some cases NULL. As a consequence, when the
virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon
sometimes terminated unexpectedly. With this update, libvirt properly
checks DAC labels before trying to parse them, and libvirtd thus no longer
crashes in the described scenario.

* If a block copy operation was attempted while another block copy was
already in progress to an explicit raw destination, libvirt previously
stopped regarding the destination as raw. As a consequence, if the
qemu.conf file was edited to allow file format probing, triggering the bug
could allow a malicious guest to bypass sVirt protection by making libvirt
regard the file as non-raw. With this update, libvirt has been fixed to
consistently remember when a block copy destination is raw, and guests can
no longer circumvent sVirt protection when the host is configured to allow
format probing.

After installing the updated packages, libvirtd will be restarted
automatically.
--

SL7
  x86_64
    libvirt-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-client-1.1.1-29.el7_0.4.i686.rpm
    libvirt-client-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-config-network-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-config-nwfilter-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-interface-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-lxc-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-network-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-nodedev-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-nwfilter-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-qemu-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-secret-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-driver-storage-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-kvm-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-debuginfo-1.1.1-29.el7_0.4.i686.rpm
    libvirt-debuginfo-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-python-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-daemon-lxc-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-devel-1.1.1-29.el7_0.4.i686.rpm
    libvirt-devel-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-docs-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-lock-sanlock-1.1.1-29.el7_0.4.x86_64.rpm
    libvirt-login-shell-1.1.1-29.el7_0.4.x86_64.rpm

- Scientific Linux Development Team