Bug 828006 (CVE-2013-2124) - VUL-0: CVE-2013-2124: libguestfs (1.21.6 | 1.22.0 | 1.23.0 <= X < 1.22.1 | 1.23.1): Denial of service due to a double-free when inspecting certain guest files / images
Summary: VUL-0: CVE-2013-2124: libguestfs (1.21.6 | 1.22.0 | 1.23.0 <= X < 1.22.1 | 1...
Status: RESOLVED FIXED
Alias: CVE-2013-2124
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2013-07-17
Assignee: Olaf Hering
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:53421:moderate
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-03 15:31 UTC by Marcus Meissner
Modified: 2013-07-04 05:55 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-03 15:31:10 UTC 
is public, via oss-sec

CVE-2013-2124

http://www.openwall.com/lists/oss-security/2013/05/29/2

Hello Kurt, Steve, vendors,

  LibguestFS upstream has issued the following patch:
  [1] https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd

to correct a double-free flaw in the virt-inspector / other virt-* tools,
which could lead to denial of service if some of the tools were used by
3rd party applications for inspection of untrusted guest files / images:

  [2] https://www.redhat.com/archives/libguestfs/2013-May/msg00079.html
  [3] https://www.redhat.com/archives/libguestfs/2013-May/msg00080.html
Comment 1 Marcus Meissner 2013-07-03 15:31:52 UTC 
From: "Richard W.M. Jones" <rjones@redhat.com>

Small adjustment to the subject line.

Just to be clear this affects:

1.20.x, x <= 6
1.21.x, all x (this is an obsolete development branch)
1.22.0
1.23.0

NOT affected are:

anything < 1.20
1.20.7 (fix backported to this stable version yesterday)
1.22.1 (fix backported to this stable version yesterday)
1.23.1 (this is the upstream version, fixed yesterday)

Credit for finding the bug goes to the Coverity static analyzer.

Rich.
Comment 2 Marcus Meissner 2013-07-03 15:32:39 UTC 
SLES 11 SP3 has 1.20.4, so should be affected.
Comment 3 Swamp Workflow Management 2013-07-03 15:33:18 UTC 
The SWAMPID for this issue is 53421.
This issue was rated as moderate.
Please submit fixed packages until 2013-07-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Olaf Hering 2013-07-03 16:24:22 UTC 
SUSE:SLE-11-SP3:GA libguestfs already has this fixed:

Fri May 31 01:35:08 CEST 2013 - ohering@suse.de

force ext4 into read-write mode inside appliance (fate#314864)
inspection: Don't fail if libosinfo database is not found (RHBZ#948324)
daemon: Properly quote arguments for tar-out, base64-out commands (RHBZ#957772)
inspection: Fix double-free when certain guest files are empty. (CVE-2013-2124)
inspection: Test for failure from match1 function.
inspection: handle empty file in parse_suse_release
Comment 5 Swamp Workflow Management 2013-07-03 22:00:29 UTC 
bugbot adjusting priority
Comment 6 Marcus Meissner 2013-07-04 05:55:25 UTC 
thanks!

so sle11 sp3 not affected, not in cloud.
package is not in released openSUSE versions.

can close