Mandriva Linux Security Advisory 2015-070

Mandriva Linux Security Advisory 2015-070 – The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors. The XML getters for for save images and snapshots objects don’t check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file. The updated packages provides the latest 1.1.3.9 version which has more robust fixes for MDVSA-2015:023 and MDVSA-2015:035.

Leave a Reply