CVE-2014-3633 – libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index
https://notcve.org/view.php?id=CVE-2014-3633
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read. La función qemuDomainGetBlockIoTune en qemu/qemu_driver.c en libvirt anterior a 1.2.9, cuando un disco ha sido conectado en caliente o eliminado de la imagen en vivo, permite a atacantes remotos causar una denegación de servicio (caída) o leer información sensible de la memoria dinámica a través de una consulta blkiotune manipulada, lo que provoca una lectura fuera de rango. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. • http://libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b http://lists.opensuse.org/opensuse-updates/2014-10/msg00014.html http://lists.opensuse.org/opensuse-updates/2014-10/msg00017.html http://rhn.redhat.com/errata/RHSA-2014-1352.html http://secunia.com/advisories/60291 http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2014/0004.html http://www.debian.org/security/2014/dsa-3038 h • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2014-5177 – libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read
https://notcve.org/view.php?id=CVE-2014-5177
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. libvirt 1.0.0 hasta 1.2.x anterior a 1.2.5, cuando el control de acceso detallado está habilitado, permite a usuarios locales leer ficheros arbitrarios a través de un documento XML manipulado que contiene una declaración de entidad externa XML en conjunto con una referencia de entidad en el método API (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU o (19) virConnectBaselineCPU, relacionado con un problema de entidad externa XML (XXE). NOTA: este problema ha sido dividido (SPLIT) del CVE-2014-0179 por ADT3 debido a las diferentes versiones afectadas de algunos vectores. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system. • http://libvirt.org/news.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00052.html http://rhn.redhat.com/errata/RHSA-2014-0560.html http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2014/0003.html http://www.ubuntu.com/usn/USN-2366-1 https://access.redhat.com/security/cve/CVE-2014-5177 https://bugzilla.redhat.com/show_bug.cg • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2014-0179 – libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read
https://notcve.org/view.php?id=CVE-2014-0179
libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. libvirt 0.7.5 hasta 1.2.x anterior a 1.2.5 permite a usuarios locales causar una denegación de servicio (bloqueo de lectura y cuelgue) a través de un documento XML manipulado que contiene una declaración de entidad externa XML en conjunto con una referencia de entidad en el método (1) virConnectCompareCPU o (2) virConnectBaselineCPU API, relacionado con un problema de entidad externa XML (XXE). NOTA: este problema fue dividido (SPLIT) por ADT3 debido a las diferentes versiones afectadas de algunos vectores. CVE-2014-5177 se utiliza para otros métodos API. • http://libvirt.org/news.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00052.html http://rhn.redhat.com/errata/RHSA-2014-0560.html http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2014/0003.html http://www.debian.org/security/2014/dsa-3038 http://www.ubuntu.com/usn/USN-2366-1 https://access.redhat.com/security/cve/CVE-20 • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2013-6456
https://notcve.org/view.php?id=CVE-2013-6456
The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function. El controlador LXC (lxc/lxc_driver.c) en libvirt 1.0.1 hasta 1.2.1 permite a usuarios locales (1) borrar dispositivos arbitrarios a través de API virDomainDeviceDettach y un ataque symlink en /dev en el contenedor; (2) crear nodos arbitrarios (mknod) a través de la API virDomainDeviceAttach y un ataque symlink en /dev en el contenedor; y causar una denegación de servicio (apagado o reinicio del sistema operativo del host) a través de (3) virDomainShutdown o (4) virDomainReboot API y a un ataque symlink en /dev/initctl en el contenedor, relacionado con "rutas contenidas en /proc/$PID/root" y la función virInitctlSetRunLevel. • http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=5fc590ad9f4 http://libvirt.org/news.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129199.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00004.html http://secunia.com/advisories/56187 http://secunia.com/advisories/56215 http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2013/0018.html http://www.securityfocus.com/bid/6574 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2013-6457
https://notcve.org/view.php?id=CVE-2013-6457
The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command. La función libxlDomainGetNumaParameters en el driver libxl (libxl/libxl_driver.c) de libvirt anteriores a 1.2.1 no inicializa correctamente el nodemap, lo cual permite a usuarios locales causar denegación de servicio (operación de liberación inválida y caída) o posiblemente ejecutar código arbitrario a través de un dominio inactivo en el comando virsh numatune. • http://libvirt.org/news.html http://lists.opensuse.org/opensuse-updates/2014-02/msg00060.html http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://www.ubuntu.com/usn/USN-2093-1 https://bugzilla.redhat.com/show_bug.cgi?id=1048629 https://www.redhat.com/archives/libvir-list/2013-December/msg01176.html https://www.redhat.com/archives/libvir-list/2013-December/msg01258.html • CWE-264: Permissions, Privileges, and Access Controls •