827801 – (CVE-2013-2230) VUL-1: libvirt: CVE-2013-2230: incorrect return value in qemuConnectDomainEventRegisterAny()

Bug 827801 (CVE-2013-2230) - VUL-1: libvirt: CVE-2013-2230: incorrect return value in qemuConnectDomainEventRegisterAny()

Summary: VUL-1: libvirt: CVE-2013-2230: incorrect return value in qemuConnectDomainEve...

Status:	RESOLVED FIXED

Alias:	CVE-2013-2230

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-07-02 14:09 UTC by Sebastian Krahmer
Modified:	2014-07-07 10:04 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2013-07-02 14:09:57 UTC

EMBARGOED via libvirt-security list:

(sorry the patch was inline)

----------------------8<---------------

Don't overwrite the callback ID returned by
virDomainEventStateRegisterID in ret by 0.

Introduced by abf75aea.

https://bugzilla.redhat.com/show_bug.cgi?id=980428
---

Reported by zhenfeng wang
Only affects 1.1.0.

The bug was filed as public, does that mean I can send the patch
to the public list right away?

 src/qemu/qemu_driver.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6a83fda..1355d90 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -9914,9 +9914,7 @@ qemuConnectDomainEventRegisterAny(virConnectPtr conn,
                                       driver->domainEventState,
                                       dom, eventID,
                                       callback, opaque, freecb, &ret) < 0)
-        goto cleanup;
-
-    ret = 0;
+        ret = -1;

 cleanup:
     return ret;

Comment 2 Swamp Workflow Management 2013-07-02 22:00:33 UTC

bugbot adjusting priority

Comment 7 Marcus Meissner 2013-07-10 12:43:52 UTC

From: Petr Matousek <pmatouse@redhat.com>
Subject: [Libvirt-Security] [NOT A CVE REQUEST] CVE-2013-2230 -- libvirt:
 multiple registered events crash

 flaw was found in the way multiple events registration were handled in
libvirt qemu driver.

A remote user able to issue commands to libvirt daemon could use this
flaw to crash libvirtd.

Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=f38c8185f97720ecae7ef2291fbaa5d6b0209e17

References:
https://bugzilla.redhat.com/show_bug.cgi?id=981476

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Comment 8 Bernhard Wiedemann 2013-07-12 17:00:21 UTC

This is an autogenerated message for OBS integration:
This bug (827801) was mentioned in
https://build.opensuse.org/request/show/182939 Factory / libvirt

Comment 9 James Fehlig 2013-07-12 17:06:24 UTC

libvirt 1.1.0 + commit f6e543ba has been submitted to Factory - SR#182939.  IMO, this bug can now be closed.

Comment 10 Sebastian Krahmer 2013-07-16 14:20:29 UTC

ok