[RHSA-2022:7968-01] Low: virt-v2v security, bug fix, and enhancement update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Tue Nov 15 18:58:08 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: virt-v2v security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:7968-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7968
Issue date:        2022-11-15
CVE Names:         CVE-2022-2211 
=====================================================================

1. Summary:

An update for virt-v2v is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - noarch
Red Hat Enterprise Linux AppStream (v. 9) - noarch, x86_64

3. Description:

The virt-v2v package provides a tool for converting virtual machines to use
the KVM (Kernel-based Virtual Machine) hypervisor or Red Hat Enterprise
Virtualization. The tool modifies both the virtual machine image and its
associated libvirt metadata. Also, virt-v2v can configure a guest to use
VirtIO drivers if possible.

Security Fix(es):

* libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1684075 - Virt-v2v can't convert a guest from VMware via nbdkit-vddk if original guest disk address is irregular
1774386 - input_vmx: cleanly reject guests with snapshots when using "-it ssh"
1788823 - Virt-v2v firstboot scripts should run in order, with v2v network configuration happening first
1817050 - Can't convert guest from VMware with non-admin account and vddk >=7.0  by virt-v2v
1848862 - There is nbdkit curl error info if convert a guest from VMware without vddk by administrator account
1854275 - document that vmx+ssh "-ip" auth doesn't cover ssh / scp shell commands
1868048 - [RFE]virt-v2v should install qemu-ga on debian guest during the conversion
1883802 - -i vmx: SATA disks are not parsed
1985830 - Start or remove VM failure even v2v has already finished
2003503 - There is virt-v2v warning: fstrim on guest filesystem /dev/mapper/osprober-linux-sdb1 failed if non-os disk of source guest has few/no inodes lef
2028764 - Install the qemu-guest-agent package during the conversion process
2039597 - Failed to import VM when selecting OVA as a source on RHV webadmin
2047660 - Add '--compressed' support in modular v2v
2051564 - [RFE]Limiting the maximum number of disks per guest for v2v conversions
2059287 - RFE: Rebase virt-v2v to 2.0 in RHEL 9.1
2062360 - RFE: Virt-v2v should replace hairy "enable LEGACY crypto" advice which a more targeted mechanism
2064178 - nothing provides openssh-clients >= 8.8p1 needed by virt-v2v-1:2.0.0-1.el9.x86_64
2066773 - The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root
2069768 - Import of OVA fails if the user/group name contains spaces
2070186 - fix virtio-vsock check (for Linux guests) in virt-v2v
2070530 - Virt-v2v can't convert guest when os is installed on nvme disk via vmx+ssh
2074026 - Remove -o json option
2074801 - do not pass "--non-bootable --read-write" to "volume create " in openstack output module
2074805 - -o qemu mode fails with: qemu-system-x86_64: -balloon: invalid option and other problems
2076013 - RHEL9.1 guest can't boot into OS after v2v conversion
2082603 - virt-v2v -o qemu prints cosmetic warning: "warning: short-form boolean option 'readonly' deprecated"
2094779 - missing python dependency in rhel9.1
2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS
2101665 - "/dev/nvme0n1" is not remapped to "/dev/vda" (etc) in boot config files such as "/boot/grub2/device.map"
2107503 - RHEL 8.6 VM with "qemu64" CPU model can't start because "the CPU is incompatible with host CPU: Host CPU does not provide required features: svm"
2112801 - RHEL9 guest hangs during boot after conversion by virt-p2v
2116811 - virt-v2v: error: internal error: assertion failed at linux_kernels.ml, line 190, char 11

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
virt-v2v-2.0.7-6.el9.src.rpm

noarch:
virt-v2v-bash-completion-2.0.7-6.el9.noarch.rpm

x86_64:
virt-v2v-2.0.7-6.el9.x86_64.rpm
virt-v2v-debuginfo-2.0.7-6.el9.x86_64.rpm
virt-v2v-debugsource-2.0.7-6.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

noarch:
virt-v2v-man-pages-ja-2.0.7-6.el9.noarch.rpm
virt-v2v-man-pages-uk-2.0.7-6.el9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2211
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhQNzjgjWX9erEAQj9AA/+LVRs5e5xUbvrRYoUnsKZPXZ0fWjz3Dsd
D1P1qBp+IVgJIZNZpVgbuIk5c9C6mNzEFMd/1at0Tput1qu5b4VIUFz1KHvFPYIL
xj+p+mAm5qIA5MKFkCcA7Rw8RdPeeXQojUFoKQU2p6nSUfptMwP7vbWjgRoJJlJ/
TTom+MIktIBhZXoNj9ZnOMMev+8kNbSxItWNrog7rGJLEsOrntRlAr9bcKcrmxV0
fYQ+GpoYsZUBFtN1eIt6695v3lyly0W4myFsjFS4sKr0y4RG8oqY2oyEqMw3qcmd
UlciYz/QuKQqsY1ufc5JajhM0VHHXdv2RVxtJYn2cY4QI7aDeBsbl0wKG2Xs1+7v
19LmBNnikGzQHude/wNXdNkhTdJsvQkv+5ARvSmjkmywACuIbuyudJymG9S4Xzji
gZRzSrfcdh2VqUBUVT4pjjKvFAUqa9BIFSm0iwMlDuuHZj9EhvB7ZydaUjOqfZfp
tHZHGOl/sRtuojGVm56bXqp5u1ib+8VMVq8KCZGwD2dsMygeu3XnXOkvx/458FOY
SpJG+z6GsV0jP193IK9B++54LSL6ZQLQ4yAvDUhxvCtm8nhGtsRGD6HXPOYdpdXM
L1snWm51iEHrNavCuNf8Fh6Z1ewmWbZW+4RDWeo2rIn6HmSCj4iMW4twha+sqDDX
uPMe6qqj+P4=
=3mD0
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list