-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libguestfs and virt-p2v security, bug fix, and enhancement update Advisory ID: RHSA-2016:2576-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2576.html Issue date: 2016-11-03 CVE Names: CVE-2015-8869 ===================================================================== 1. Summary: An update for libguestfs and virt-p2v is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The libguestfs packages contain a library, which is used for accessing and modifying virtual machine (VM) disk images. Virt-p2v is a tool for conversion of a physical server to a virtual guest. The following packages have been upgraded to a newer upstream version: libguestfs (1.32.7), virt-p2v (1.32.7). (BZ#1218766) Security Fix(es): * An integer conversion flaw was found in the way OCaml's String handled its length. Certain operations on an excessively long String could trigger a buffer overflow or result in an information leak. (CVE-2015-8869) Note: The libguestfs packages in this advisory were rebuilt with a fixed version of OCaml to address this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 855058 - RFE: virt-p2v: display more information about storage devices 1064041 - virt-sparsify fails if a btrfs filesystem contains readonly snapshots 1099976 - virt-builder gives GPG warning message with gnupg2 1156298 - Remove files in package libguestfs-bash-completion, these files are bash completion files, some of the virt tool completion are already implement in another file, so can remove its completion file 1164708 - set-label can only set <=127 bytes for btrfs and <=126 bytes for ntfs filesystem which not meet the help message. Also for ntfs it should give a warning message when the length >128 bytes 1166057 - btrfs filesystem will not work well if you create the filesystem with multiple disks at the same time, such as: mkfs-btrfs "/dev/sda1 /dev/sdb1" 1167916 - P2V: invalid conversion server prints unexpected end of file waiting for password prompt. 1173695 - RFE: allow passing in a pre-opened libvirt connection from python 1174551 - "lstatnslist" and "lstatlist" don't give an error if the API is used wrongly 1176801 - File /etc/sysconfig/kernel isn't updated when convert XenPV guest with regular kernel installed 1180769 - Security context on image file gets reset 1190669 - Support virt-v2v conversion of Windows > 7 1213324 - virt-v2v: warning: unknown guest operating system: windows windows 6.3 when converting win8,win8.1,win2012,win2012R2,win10 to rhev 1213701 - Fail to import win8/win2012 to rhev with error "selected display type is not supported" 1218766 - Rebase libguestfs in RHEL 7.3 1225789 - Wrong video driver is installed for rhel5.11 guest after conversion to libvirt 1227599 - P2V invalid password prints unexpected end of file waiting for command prompt. 1227609 - virt-p2v: Using "Back" button causes output list to be repopulated multiple times 1229119 - Unrelated info in fstab makes virt-v2v fail with unclear error info 1229386 - virt-p2v in non-GUI mode doesn't show any conversion progress or status 1238053 - v2v:Duplicate disk target set when convert guest with cdrom attached 1239154 - appliance fails to start with "supermin: ext2fs_file_write: /var/log/tallylog: Could not allocate block in ext2 filesystem" 1242853 - mount-loop failed to setup loop device: No such file or directory 1260801 - virt-builder --ssh-inject doesn't set proper permissions on created files 1261242 - virt-v2v should prevent using '-of' option appears twice on the command line 1261436 - No warning shows when convert a win7 guest with AVG AntiVirus installed 1262959 - virt-builder/virt-customize set password does not work 1264835 - ppc64le: virt-customize --install fail to detect the guest arch 1267032 - guestfish copy-in command behaves oddly/unexpectedly with wildcards 1277074 - Virt-p2v client shouldn't present the vdsm option because it's not usable 1277122 - RFE: virt-sparsify: make '--in-place' sparsification safe to abort (gracefully or ungracefully) 1287826 - Remove virt-v2v support for ppc64le 1290755 - guestfish should be able to handle LVM thin layouts 1292437 - Backport virt-v2v pull dcpath from libvirt 1293527 - There should be a reminder to avoid user to edit a guest image by multiple tools at the same time in guestfish man page 1296606 - virt-v2v doesn't remove VirtualBox additions correctly because of file quoting 1306557 - Running 'git clone' in virt-builder or virt-customize results in an error message 1308769 - virt-v2v does not copy additional disks to Glance 1309580 - OS name of win8.1 x64 guest shows incorrect in rhevm3.6 general info 1309619 - Wrong warning info "use standard VGA" shows when converting windows > 7 by virt-v2v 1309706 - error: internal error: Invalid floppy device name: hdb 1309796 - Filter perl provides 1311373 - Fail to install QXL driver for windows 2008r2 and win7 guest after conversion by virt-v2v 1312254 - virt-v2v -o libvirt doesn't preserve or use correct 1314244 - RFE: virt-p2v log window should process colour escapes and backspaces 1315237 - Remove reference info about --dcpath in virt-v2v manual page 1316479 - v2v cmd cannot exit and "block I/O error in device 'appliance': No space left on device (28)" is printed when specified "-v -x" 1318440 - virt-sysprep will fail detecting OS if "/usr" is a distinct partition mounted in "/" via fstab 1325825 - virt-v2v should prevent using multiple '-b' and '-n' option appears on the command line 1326266 - virt-v2v should prevent multiple conflicting for "-oa " 1328766 - Remove --in-place option in virt-v2v help 1332025 - Inspection does not parse /etc/redhat-release containing "Derived from Red Hat Enterprise Linux 7.1 (Source)" 1332090 - CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits 1340407 - Multiple network ports will not be aligned at p2v client 1340464 - [RFE] Suggestion give user a reminder for "Cancel conversion" button 1340809 - Testing connection timeout when input regular user of conversion server with checked "use sudo......"button 1341564 - virt-p2v spinner should be hidden when it stops spinning 1341608 - Ethtool command is not supported on p2v client 1341984 - virt-get-kernel prompts an 'invalid value' error when using --format auto 1342337 - Should remind a warning about disk image has a partition when using virt-p2v-make-disk 1342398 - Convert a guest from RHEL by virt-v2v but its origin info shows RHEV at rhevm 1342447 - Ifconfig command is not supported on p2v client 1343167 - Failure when disk contains an LV with activationskip=y 1343414 - Failed SSH to conversion server by ssh identity http url at p2v client 1343423 - [RFE]Should give a better description about 'curl error 22' when failed using ssh identity http url at p2v client 1345809 - virt-customize --truncate-recursive should give an error message when specifying a no-existing path 1345813 - virt-sysprep --install always failed to install the packages specified 1348900 - virt-p2v should update error prompt when 'Test connection' with a non-existing user in conversion server 1349237 - virt-inspector can not get windows drive letters for GPT disks 1349342 - Error info is not clear when failed ssh to conversion server using non-root user with password on p2v client 1350363 - Improve error info "remote server timeout unexpectedly waiting for password prompt" when connect to a bogus server at p2v client 1352761 - Virt-manager can't show OS icons of win7/win8/ubuntu guest. 1354335 - overlay of disk images does not specify the format of the backing file 1358142 - Some info will show when convert guest to libvirt by virt-v2v with parameter --quiet 1359652 - Fail to inspect Windows ISO file 1362354 - virt-dib failed to create image using DIB_YUM_REPO_CONF 1362357 - run_command runs exit handlers when execve fails (e.g. due to missing executable) 1362668 - Miscellaneous fixes to tool options 1362669 - Backport improved --selinux-relabel support for virt-sysprep, virt-builder, virt-customize 1364347 - virt-sparsify --in-place failed with UEFI system 1364419 - [virt-p2v]Failed to connect to conversion server while testing LSI-mpt2sas hardware which using bnx2x network driver 1365005 - Guest name is incorrect if convert guest from disk image by virt-v2v 1366456 - Converting rhel7 host installed on RAID:warning: fstrim: fstrim: /sysroot/: the discard operation is not supported 1367615 - OVMF file which is built for rhel7.3 can't be used for virt-v2v uefi conversion 1370424 - virt-manager coredump when vm with gluster image exists 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libguestfs-1.32.7-3.el7.src.rpm noarch: libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm libguestfs-tools-1.32.7-3.el7.noarch.rpm x86_64: libguestfs-1.32.7-3.el7.x86_64.rpm libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-java-1.32.7-3.el7.x86_64.rpm libguestfs-tools-c-1.32.7-3.el7.x86_64.rpm libguestfs-xfs-1.32.7-3.el7.x86_64.rpm perl-Sys-Guestfs-1.32.7-3.el7.x86_64.rpm python-libguestfs-1.32.7-3.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: libguestfs-bash-completion-1.32.7-3.el7.noarch.rpm libguestfs-gobject-doc-1.32.7-3.el7.noarch.rpm libguestfs-javadoc-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-ja-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-uk-1.32.7-3.el7.noarch.rpm x86_64: libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-devel-1.32.7-3.el7.x86_64.rpm libguestfs-gfs2-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-devel-1.32.7-3.el7.x86_64.rpm libguestfs-java-devel-1.32.7-3.el7.x86_64.rpm libguestfs-rescue-1.32.7-3.el7.x86_64.rpm libguestfs-rsync-1.32.7-3.el7.x86_64.rpm lua-guestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-devel-1.32.7-3.el7.x86_64.rpm ruby-libguestfs-1.32.7-3.el7.x86_64.rpm virt-dib-1.32.7-3.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libguestfs-1.32.7-3.el7.src.rpm virt-p2v-1.32.7-2.el7.src.rpm noarch: libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm libguestfs-tools-1.32.7-3.el7.noarch.rpm virt-p2v-1.32.7-2.el7.noarch.rpm x86_64: libguestfs-1.32.7-3.el7.x86_64.rpm libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-java-1.32.7-3.el7.x86_64.rpm libguestfs-tools-c-1.32.7-3.el7.x86_64.rpm libguestfs-xfs-1.32.7-3.el7.x86_64.rpm perl-Sys-Guestfs-1.32.7-3.el7.x86_64.rpm python-libguestfs-1.32.7-3.el7.x86_64.rpm virt-v2v-1.32.7-3.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: libguestfs-bash-completion-1.32.7-3.el7.noarch.rpm libguestfs-gobject-doc-1.32.7-3.el7.noarch.rpm libguestfs-javadoc-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-ja-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-uk-1.32.7-3.el7.noarch.rpm x86_64: libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-devel-1.32.7-3.el7.x86_64.rpm libguestfs-gfs2-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-devel-1.32.7-3.el7.x86_64.rpm libguestfs-java-devel-1.32.7-3.el7.x86_64.rpm libguestfs-rescue-1.32.7-3.el7.x86_64.rpm libguestfs-rsync-1.32.7-3.el7.x86_64.rpm lua-guestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-devel-1.32.7-3.el7.x86_64.rpm ruby-libguestfs-1.32.7-3.el7.x86_64.rpm virt-dib-1.32.7-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libguestfs-1.32.7-3.el7.src.rpm noarch: libguestfs-inspect-icons-1.32.7-3.el7.noarch.rpm libguestfs-tools-1.32.7-3.el7.noarch.rpm x86_64: libguestfs-1.32.7-3.el7.x86_64.rpm libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-java-1.32.7-3.el7.x86_64.rpm libguestfs-tools-c-1.32.7-3.el7.x86_64.rpm libguestfs-xfs-1.32.7-3.el7.x86_64.rpm perl-Sys-Guestfs-1.32.7-3.el7.x86_64.rpm python-libguestfs-1.32.7-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: libguestfs-bash-completion-1.32.7-3.el7.noarch.rpm libguestfs-gobject-doc-1.32.7-3.el7.noarch.rpm libguestfs-javadoc-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-ja-1.32.7-3.el7.noarch.rpm libguestfs-man-pages-uk-1.32.7-3.el7.noarch.rpm x86_64: libguestfs-debuginfo-1.32.7-3.el7.x86_64.rpm libguestfs-devel-1.32.7-3.el7.x86_64.rpm libguestfs-gfs2-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-1.32.7-3.el7.x86_64.rpm libguestfs-gobject-devel-1.32.7-3.el7.x86_64.rpm libguestfs-java-devel-1.32.7-3.el7.x86_64.rpm libguestfs-rescue-1.32.7-3.el7.x86_64.rpm libguestfs-rsync-1.32.7-3.el7.x86_64.rpm lua-guestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-1.32.7-3.el7.x86_64.rpm ocaml-libguestfs-devel-1.32.7-3.el7.x86_64.rpm ruby-libguestfs-1.32.7-3.el7.x86_64.rpm virt-dib-1.32.7-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-8869 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYGvqeXlSAg2UNWIIRAriHAJ9FbswQlx4PF1JzLAs/7Ol11kA9ywCaAjyZ FAqe2QgPmgwRZEjHvFMTIqs= =oJlz -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce