{"id":"MGASA-2014-0243","summary":"Updated libvirt packages fix multiple vulnerabilities","details":"Updated libvirt packages fix security vulnerabilities:\n\nThe LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through\n1.2.1 allows local users to (1) delete arbitrary host devices\nvia the virDomainDeviceDettach API and a symlink attack on /dev\nin the container; (2) create arbitrary nodes (mknod) via the\nvirDomainDeviceAttach API and a symlink attack on /dev in the\ncontainer; and cause a denial of service (shutdown or reboot host\nOS) via the (3) virDomainShutdown or (4) virDomainReboot API and a\nsymlink attack on /dev/initctl in the container, related to paths under\n/proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).\n\nlibvirt was patched to prevent expansion of entities when parsing XML\nfiles. This vulnerability allowed malicious users to read arbitrary\nfiles or cause a denial of service (CVE-2014-0179).\n","modified":"2026-04-16T00:11:09.658257584Z","published":"2014-05-29T07:01:13Z","upstream":["CVE-2013-6456","CVE-2014-0179"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0243.html"},{"type":"WEB","url":"http://security.libvirt.org/2013/0018.html"},{"type":"WEB","url":"http://security.libvirt.org/2014/0003.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html"},{"type":"ADVISORY","url":"http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:097/"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=12920"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13387"}],"affected":[{"package":{"name":"libvirt","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/libvirt?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.2-8.5.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0243.json"}},{"package":{"name":"libvirt","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/libvirt?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.1-1.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0243.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}