1088290 – (CVE-2014-0179, CVE-2014-5177) CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read

Bug 1088290 (CVE-2014-0179, CVE-2014-5177) - CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read

Summary: CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows l...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-0179, CVE-2014-5177
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1088292 1088293 1094790 1094791 1094792
Blocks:	1086699 1088308 1097799 1121180
TreeView+	depends on / blocked

Reported:	2014-04-16 11:35 UTC by Petr Matousek
Modified:	2023-05-13 00:17 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
Clone Of:
Environment:
Last Closed:	2014-07-22 19:43:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0560	0	normal	SHIPPED_LIVE	Moderate: libvirt security and bug fix update	2014-05-27 20:25:33 UTC
Red Hat Product Errata	RHSA-2014:0914	0	normal	SHIPPED_LIVE	Moderate: libvirt security and bug fix update	2014-07-22 22:31:05 UTC

Description Petr Matousek 2014-04-16 11:35:42 UTC

When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag
to libxml2 which instructs it to expand all entities in the XML
document during parsing.

A malicious user can pass libvirt an XML document which contains an
entity that points to an arbitrary file on the host. When libvirt
parses this document, it will insert the contents of that host file,
which could allow the user to read the contents of files that they
otherwise do not have permission to view (CVE-2014-5177).

It also has the potential to cause a denial of service if the
entity points to a special file that can block on read (CVE-2014-0179).

The versions of libvirt package as shipped with Red Hat Enterprise
Linux 5 and 6 are only susceptible to the DoS attack (CVE-2014-0179)
since they do not support fine grained access control.

Comment 5 Daniel Berrangé 2014-05-06 13:42:04 UTC

Public announcement

 https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html

Comment 7 Petr Matousek 2014-05-06 13:46:30 UTC

Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1094792]

Comment 8 Fedora Update System 2014-05-24 23:24:13 UTC

libvirt-1.1.3.5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Petr Matousek 2014-05-26 12:12:07 UTC

External References:

http://security.libvirt.org/2014/0003.html

Comment 10 Petr Matousek 2014-05-27 08:13:19 UTC

Statement:

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux 5, however the impact is limited to denial of service since it does not support fine grained access control. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 11 Petr Matousek 2014-05-27 08:28:01 UTC

Acknowledgements:

Red Hat would like to thank the upstream Libvirt project for reporting this 
issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the original reporters.

Comment 12 errata-xmlrpc 2014-05-27 16:27:05 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0560 https://rhn.redhat.com/errata/RHSA-2014-0560.html

Comment 13 Martin Prpič 2014-07-21 13:57:21 UTC

IssueDescription CVE-2014-5177:

It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file. Note that this issue is limited to libvirt as shipped with Red Hat Enterprise Linux 7.

IssueDescription CVE-2014-0179:

It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file; parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.

Comment 14 errata-xmlrpc 2014-07-22 18:31:17 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0914 https://rhn.redhat.com/errata/RHSA-2014-0914.html

Note You need to log in before you can comment on or make changes to this bug.