Bug 830497 (CVE-2013-4153) - VUL-0: libvirt: CVE-2013-4153: double free of returned JSON array in qemuAgentGetVCPUs()
Summary: VUL-0: libvirt: CVE-2013-4153: double free of returned JSON array in qemuAgen...
Status: RESOLVED UPSTREAM
Alias: CVE-2013-4153
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-22 06:38 UTC by Sebastian Krahmer
Modified: 2013-07-25 09:17 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-07-22 06:38:28 UTC 
Public via OSS-sec:

Date: Fri, 19 Jul 2013 18:12:57 +0200
From: Petr Matousek
To: oss-security
Cc: libvirt-security


A part of the returned monitor response was freed twice and caused
crashes of the daemon when using guest agent cpu count retrieval.

A remote user able to issue commands to libvirt daemon could use this
flaw to crash libvirtd or, potentially, escalate their privileges to
that of libvirtd process.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=986383
https://bugzilla.redhat.com/show_bug.cgi?id=984821
https://www.redhat.com/archives/libvir-list/2013-July/msg01035.html

Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=dfc692350a04a70b4ca65667c30869b3bfdaf034

Thanks,
--
Petr Matousek / Red Hat Security Response Team
~
Comment 1 Swamp Workflow Management 2013-07-22 22:00:31 UTC 
bugbot adjusting priority
Comment 2 James Fehlig 2013-07-23 22:48:32 UTC 
Opps, missed this bug.  It falls into the same category as bug#830498 and can be closed.
Comment 3 Marcus Meissner 2013-07-24 12:43:10 UTC 
resolve