Bug 1088290 (CVE-2014-0179, CVE-2014-5177)

Summary: CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, acathrow, berrange, bsarathy, eblake, jdenemar, jkurik, jrusnack, nlevinki, pfrields, rfortier, rjones, scorneli, security-response-team, ssaha, vbellur, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-22 19:43:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1088292, 1088293, 1094790, 1094791, 1094792    
Bug Blocks: 1086699, 1088308, 1097799, 1121180    

Description Petr Matousek 2014-04-16 11:35:42 UTC 
When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag
to libxml2 which instructs it to expand all entities in the XML
document during parsing.

A malicious user can pass libvirt an XML document which contains an
entity that points to an arbitrary file on the host. When libvirt
parses this document, it will insert the contents of that host file,
which could allow the user to read the contents of files that they
otherwise do not have permission to view (CVE-2014-5177).

It also has the potential to cause a denial of service if the
entity points to a special file that can block on read (CVE-2014-0179).

The versions of libvirt package as shipped with Red Hat Enterprise
Linux 5 and 6 are only susceptible to the DoS attack (CVE-2014-0179)
since they do not support fine grained access control.
Comment 5 Daniel Berrangé 2014-05-06 13:42:04 UTC 
Public announcement

 https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
Comment 7 Petr Matousek 2014-05-06 13:46:30 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1094792]
Comment 8 Fedora Update System 2014-05-24 23:24:13 UTC 
libvirt-1.1.3.5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Petr Matousek 2014-05-26 12:12:07 UTC 
External References:

http://security.libvirt.org/2014/0003.html
Comment 10 Petr Matousek 2014-05-27 08:13:19 UTC 
Statement:

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux 5, however the impact is limited to denial of service since it does not support fine grained access control. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 11 Petr Matousek 2014-05-27 08:28:01 UTC 
Acknowledgements:

Red Hat would like to thank the upstream Libvirt project for reporting this 
issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the original reporters.
Comment 12 errata-xmlrpc 2014-05-27 16:27:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0560 https://rhn.redhat.com/errata/RHSA-2014-0560.html
Comment 13 Martin Prpič 2014-07-21 13:57:21 UTC 
IssueDescription CVE-2014-5177:

It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file. Note that this issue is limited to libvirt as shipped with Red Hat Enterprise Linux 7.

IssueDescription CVE-2014-0179:

It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file; parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
Comment 14 errata-xmlrpc 2014-07-22 18:31:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0914 https://rhn.redhat.com/errata/RHSA-2014-0914.html