When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag to libxml2 which instructs it to expand all entities in the XML document during parsing. A malicious user can pass libvirt an XML document which contains an entity that points to an arbitrary file on the host. When libvirt parses this document, it will insert the contents of that host file, which could allow the user to read the contents of files that they otherwise do not have permission to view (CVE-2014-5177). It also has the potential to cause a denial of service if the entity points to a special file that can block on read (CVE-2014-0179). The versions of libvirt package as shipped with Red Hat Enterprise Linux 5 and 6 are only susceptible to the DoS attack (CVE-2014-0179) since they do not support fine grained access control.
Public announcement https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1094792]
libvirt-1.1.3.5-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
External References: http://security.libvirt.org/2014/0003.html
Statement: This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux 5, however the impact is limited to denial of service since it does not support fine grained access control. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Acknowledgements: Red Hat would like to thank the upstream Libvirt project for reporting this issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the original reporters.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0560 https://rhn.redhat.com/errata/RHSA-2014-0560.html
IssueDescription CVE-2014-5177: It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file. Note that this issue is limited to libvirt as shipped with Red Hat Enterprise Linux 7. IssueDescription CVE-2014-0179: It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file; parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0914 https://rhn.redhat.com/errata/RHSA-2014-0914.html