Bugzilla – Bug 1174458
VUL-0: CVE-2020-14339: libvirt: leak of /dev/mapper/control into QEMU guests
Last modified: 2024-05-10 08:00:34 UTC
CVE-2020-14339 It was discovered that libvirt is accidentally leaking a file descriptor for /dev/mapper/control into the QEMU process. This file descriptor allows for privileged operations to be made against device mapper on the host. Thus a malicious QEMU has the potential to do serious damage to the host OS. Upstream fix: https://www.redhat.com/archives/libvir-list/2020-July/msg01500.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1860069 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14339
virDevMapperGetTargets was introduced in libvirt-4.3: https://github.com/libvirt/libvirt/commit/fd9d1e686db64fa9481b9eab4dabafa46713e2cf SUSE:SLE-12-SP5:Update Affected SUSE:SLE-15-SP1:Update Affected SUSE:SLE-15-SP2:Update Affected
(In reply to Wolfgang Frisch from comment #0) > Upstream fix: > https://www.redhat.com/archives/libvir-list/2020-July/msg01500.html In the end it was decided to drop the use of libdevmapper and perform the necessary ioctl's from libvirt. libdevmapper is not thread safe and uses global variables - yuk. So thankfully that huge patch series was dropped in favor of this https://www.redhat.com/archives/libvir-list/2020-July/msg01743.html I've backported patches 2-4 to SLE15 SP2 and will look at the other next.
(In reply to James Fehlig from comment #2) > I've backported patches 2-4 to SLE15 SP2 and will look at the other next. Although skipping patch 2 made backporting 3 a bit harder, I decided to drop patches 2 and 4 since they are unrelated to the CVE. Backporting to libvirt 5.1.0 (the version in 15 SP1 and 12 SP5) was a real PITA due to the move to glib that occurred after 5.1.0. I'm going to post the backported patch for 15 SP1 in the bug that triggered this issue - bug#1161883. Since the backport was non-trivial, I'll have Lin review it and the customer test it in that bug.
(In reply to Wolfgang Frisch from comment #1) > SUSE:SLE-12-SP5:Update Affected > SUSE:SLE-15-SP1:Update Affected > SUSE:SLE-15-SP2:Update Affected I've backported commit 22494556 to all of these code bases and have submitted maintenance requests. FYI a customer reported positive test results on SLE15 SP1 in bug#1161883. Passing the bug to security now...
SUSE-SU-2020:2233-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1161883,1171946,1172052,1174458 CVE References: CVE-2020-14339 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libvirt-5.1.0-13.9.1 SUSE Linux Enterprise Server 12-SP5 (src): libvirt-5.1.0-13.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2237-1: An update that solves one vulnerability and has four fixes is now available. Category: security (important) Bug References: 1161883,1167007,1171946,1172052,1174458 CVE References: CVE-2020-14339 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): libvirt-5.1.0-8.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libvirt-5.1.0-8.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2269-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1161883,1174458 CVE References: CVE-2020-14339 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): libvirt-6.0.0-13.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libvirt-6.0.0-13.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
openSUSE-SU-2020:1455-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1161883,1174458 CVE References: CVE-2020-14339 JIRA References: Sources used: openSUSE Leap 15.2 (src): libvirt-6.0.0-lp152.9.3.1