CVE-2014-5177

Name	CVE-2014-5177
Description	libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvirt (PTS)	jessie, jessie (lts)	1.2.9-9+deb8u7	fixed
	stretch (security), stretch (lts), stretch	3.0.0-4+deb9u5	fixed
	buster	5.0.0-4+deb10u1	fixed
	buster (security)	5.0.0-4+deb10u2	fixed
	bullseye	7.0.0-3+deb11u2	fixed
	bookworm	9.0.0-4	fixed
	sid, trixie	10.2.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
libvirt	source	squeeze	(not affected)
libvirt	source	wheezy	(not affected)
libvirt	source	(unstable)	1.2.4-1	low

Notes

[wheezy] - libvirt <not-affected> (Not exploitable in that version)
[squeeze] - libvirt <not-affected> (Not exploitable in that version)
http://security.libvirt.org/2014/0003.html