Sigurnosni nedostatak programskih paketa libguestfs i virt-p2v

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: libguestfs and virt-p2v security, bug fix, and enhancement update
Advisory ID: RHSA-2016:2576-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2576.html
Issue date: 2016-11-03
CVE Names: CVE-2015-8869
=====================================================================

1. Summary:

An update for libguestfs and virt-p2v is now available for Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) – noarch, x86_64

3. Description:

The libguestfs packages contain a library, which is used for accessing and
modifying virtual machine (VM) disk images.

Virt-p2v is a tool for conversion of a physical server to a virtual guest.

The following packages have been upgraded to a newer upstream version:
libguestfs (1.32.7), virt-p2v (1.32.7). (BZ#1218766)

Security Fix(es):

* An integer conversion flaw was found in the way OCaml’s String handled
its length. Certain operations on an excessively long String could trigger
a buffer overflow or result in an information leak. (CVE-2015-8869)

Note: The libguestfs packages in this advisory were rebuilt with a fixed
version of OCaml to address this issue.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

855058 – RFE: virt-p2v: display more information about storage devices
1064041 – virt-sparsify fails if a btrfs filesystem contains readonly snapshots
1099976 – virt-builder gives GPG warning message with gnupg2
1156298 – Remove files in package libguestfs-bash-completion, these files are bash completion files, some of the virt tool completion are already implement in another file, so can remove its completion file
1164708 – set-label can only set <=127 bytes for btrfs and <=126 bytes for ntfs filesystem which not meet the help message. Also for ntfs it should give a warning message when the length >128 bytes
1166057 – btrfs filesystem will not work well if you create the filesystem with multiple disks at the same time, such as: mkfs-btrfs “/dev/sda1 /dev/sdb1”
1167916 – P2V: invalid conversion server prints unexpected end of file waiting for password prompt.
1173695 – RFE: allow passing in a pre-opened libvirt connection from python
1174551 – “lstatnslist” and “lstatlist” don’t give an error if the API is used wrongly
1176801 – File /etc/sysconfig/kernel isn’t updated when convert XenPV guest with regular kernel installed
1180769 – Security context on image file gets reset
1190669 – Support virt-v2v conversion of Windows > 7
1213324 – virt-v2v: warning: unknown guest operating system: windows windows 6.3 when converting win8,win8.1,win2012,win2012R2,win10 to rhev
1213701 – Fail to import win8/win2012 to rhev with error “selected display type is not supported”
1218766 – Rebase libguestfs in RHEL 7.3
1225789 – Wrong video driver is installed for rhel5.11 guest after conversion to libvirt
1227599 – P2V invalid password prints unexpected end of file waiting for command prompt.
1227609 – virt-p2v: Using “Back” button causes output list to be repopulated multiple times
1229119 – Unrelated info in fstab makes virt-v2v fail with unclear error info
1229386 – virt-p2v in non-GUI mode doesn’t show any conversion progress or status
1238053 – v2v:Duplicate disk target set when convert guest with cdrom attached
1239154 – appliance fails to start with “supermin: ext2fs_file_write: /var/log/tallylog: Could not allocate block in ext2 filesystem”
1242853 – mount-loop failed to setup loop device: No such file or directory
1260801 – virt-builder –ssh-inject doesn’t set proper permissions on created files
1261242 – virt-v2v should prevent using ‘-of’ option appears twice on the command line
1261436 – No warning shows when convert a win7 guest with AVG AntiVirus installed
1262959 – virt-builder/virt-customize set password does not work
1264835 – ppc64le: virt-customize –install fail to detect the guest arch
1267032 – guestfish copy-in command behaves oddly/unexpectedly with wildcards
1277074 – Virt-p2v client shouldn’t present the vdsm option because it’s not usable
1277122 – RFE: virt-sparsify: make ‘–in-place’ sparsification safe to abort (gracefully or ungracefully)
1287826 – Remove virt-v2v support for ppc64le
1290755 – guestfish should be able to handle LVM thin layouts
1292437 – Backport virt-v2v pull dcpath from libvirt <vmware:datacenterpath>
1293527 – There should be a reminder to avoid user to edit a guest image by multiple tools at the same time in guestfish man page
1296606 – virt-v2v doesn’t remove VirtualBox additions correctly because of file quoting
1306557 – Running ‘git clone’ in virt-builder or virt-customize results in an error message
1308769 – virt-v2v does not copy additional disks to Glance
1309580 – OS name of win8.1 x64 guest shows incorrect in rhevm3.6 general info
1309619 – Wrong warning info “use standard VGA” shows when converting windows > 7 by virt-v2v
1309706 – error: internal error: Invalid floppy device name: hdb
1309796 – Filter perl provides
1311373 – Fail to install QXL driver for windows 2008r2 and win7 guest after conversion by virt-v2v
1312254 – virt-v2v -o libvirt doesn’t preserve or use correct <graphics type=”vnc|spice”>
1314244 – RFE: virt-p2v log window should process colour escapes and backspaces
1315237 – Remove reference info about –dcpath in virt-v2v manual page
1316479 – v2v cmd cannot exit and “block I/O error in device ‘appliance’: No space left on device (28)” is printed when specified “-v -x”
1318440 – virt-sysprep will fail detecting OS if “/usr” is a distinct partition mounted in “/” via fstab
1325825 – virt-v2v should prevent using multiple ‘-b’ and ‘-n’ option appears on the command line
1326266 – virt-v2v should prevent multiple conflicting for “-oa “
1328766 – Remove –in-place option in virt-v2v help
1332025 – Inspection does not parse /etc/redhat-release containing “Derived from Red Hat Enterprise Linux 7.1 (Source)”
1332090 – CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits
1340407 – Multiple network ports will not be aligned at p2v client
1340464 – [RFE] Suggestion give user a reminder for “Cancel conversion” button
1340809 – Testing connection timeout when input regular user of conversion server with checked “use sudo……”button
1341564 – virt-p2v spinner should be hidden when it stops spinning
1341608 – Ethtool command is not supported on p2v client
1341984 – virt-get-kernel prompts an ‘invalid value’ error when using –format auto
1342337 – Should remind a warning about disk image has a partition when using virt-p2v-make-disk
1342398 – Convert a guest from RHEL by virt-v2v but its origin info shows RHEV at rhevm
1342447 – Ifconfig command is not supported on p2v client
1343167 – Failure when disk contains an LV with activationskip=y
1343414 – Failed SSH to conversion server by ssh identity http url at p2v client
1343423 – [RFE]Should give a better description about ‘curl error 22’ when failed using ssh identity http url at p2v client
1345809 – virt-customize –truncate-recursive should give an error message when specifying a no-existing path
1345813 – virt-sysprep –install always failed to install the packages specified
1348900 – virt-p2v should update error prompt when ‘Test connection’ with a non-existing user in conversion server
1349237 – virt-inspector can not get windows drive letters for GPT disks
1349342 – Error info is not clear when failed ssh to conversion server using non-root user with password on p2v client
1350363 – Improve error info “remote server timeout unexpectedly waiting for password prompt” when connect to a bogus server at p2v client
1352761 – Virt-manager can’t show OS icons of win7/win8/ubuntu guest.
1354335 – overlay of disk images does not specify the format of the backing file
1358142 – Some info will show when convert guest to libvirt by virt-v2v with parameter –quiet
1359652 – Fail to inspect Windows ISO file
1362354 – virt-dib failed to create image using DIB_YUM_REPO_CONF
1362357 – run_command runs exit handlers when execve fails (e.g. due to missing executable)
1362668 – Miscellaneous fixes to tool options
1362669 – Backport improved –selinux-relabel support for virt-sysprep, virt-builder, virt-customize
1364347 – virt-sparsify –in-place failed with UEFI system
1364419 – [virt-p2v]Failed to connect to conversion server while testing LSI-mpt2sas hardware which using bnx2x network driver
1365005 – Guest name is incorrect if convert guest from disk image by virt-v2v
1366456 – Converting rhel7 host installed on RAID:warning: fstrim: fstrim: /sysroot/: the discard operation is not supported
1367615 – OVMF file which is built for rhel7.3 can’t be used for virt-v2v uefi conversion
1370424 – virt-manager coredump when vm with gluster image exists

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
libguestfs-1.32.7-3.el7.src.rpm

noarch:
libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm
libguestfs-tools-1.32.7-3.el7.noarch.rpm

x86_64:
libguestfs-1.32.7-3.el7.x86_64.rpm
libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm
libguestfs-java-1.32.7-3.el7.x86_64.rpm
libguestfs-tools-c-1.32.7-3.el7.x86_64.rpm
libguestfs-xfs-1.32.7-3.el7.x86_64.rpm
perl-Sys-Guestfs-1.32.7-3.el7.x86_64.rpm
python-libguestfs-1.32.7-3.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
libguestfs-bash-completion-1.32.7-3.el7.noarch.rpm
libguestfs-gobject-doc-1.32.7-3.el7.noarch.rpm
libguestfs-javadoc-1.32.7-3.el7.noarch.rpm
libguestfs-man-pages-ja-1.32.7-3.el7.noarch.rpm
libguestfs-man-pages-uk-1.32.7-3.el7.noarch.rpm

x86_64:
libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm
libguestfs-devel-1.32.7-3.el7.x86_64.rpm
libguestfs-gfs2-1.32.7-3.el7.x86_64.rpm
libguestfs-gobject-1.32.7-3.el7.x86_64.rpm
libguestfs-gobject-devel-1.32.7-3.el7.x86_64.rpm
libguestfs-java-devel-1.32.7-3.el7.x86_64.rpm
libguestfs-rescue-1.32.7-3.el7.x86_64.rpm
libguestfs-rsync-1.32.7-3.el7.x86_64.rpm
lua-guestfs-1.32.7-3.el7.x86_64.rpm
ocaml-libguestfs-1.32.7-3.el7.x86_64.rpm
ocaml-libguestfs-devel-1.32.7-3.el7.x86_64.rpm
ruby-libguestfs-1.32.7-3.el7.x86_64.rpm
virt-dib-1.32.7-3.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
libguestfs-1.32.7-3.el7.src.rpm
virt-p2v-1.32.7-2.el7.src.rpm

noarch:
libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm
libguestfs-tools-1.32.7-3.el7.noarch.rpm
virt-p2v-1.32.7-2.el7.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Red Hat Enterprise Linux Workstation (v. 7):

Source:
libguestfs-1.32.7-3.el7.src.rpm

noarch:
libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm
libguestfs-tools-1.32.7-3.el7.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-8869
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

iD8DBQFYGvqeXlSAg2UNWIIRAriHAJ9FbswQlx4PF1JzLAs/7Ol11kA9ywCaAjyZ
FAqe2QgPmgwRZEjHvFMTIqs=
=oJlz
—–END PGP SIGNATURE—–

—
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

Sigurnosni nedostatak programskih paketa libguestfs i virt-p2v

Archives

More in Preporuke

Sigurnosni nedostaci programskog paketa libvirt