Bugzilla – Bug 830498
VUL-0: libvirt: CVE-2013-4154: crash of libvirtd without guest agent configuration
Last modified: 2013-07-25 09:18:04 UTC
Public via OSS-sec: Date: Fri, 19 Jul 2013 18:14:52 +0200 From: Petr Matousek To: oss-security Cc: libvirt-security If users haven't configured guest agent then qemuAgentCommand() will dereference a NULL 'mon' pointer. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd. References: https://bugzilla.redhat.com/show_bug.cgi?id=986386 https://bugzilla.redhat.com/show_bug.cgi?id=984821 https://www.redhat.com/archives/libvir-list/2013-July/msg00992.html Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=96518d4316b711c72205117f8d5c967d5127bbb6 Thanks, -- Petr Matousek / Red Hat Security Response Team ~
This CVE (and CVE-2013-4153) only affects libvirt 1.1.0, which only affects Factory. I've added patches for both CVE's and submitted a new libvirt 1.1.0 package to Factory - SR#184015. I think this can be closed now, but will leave that to the security team.
This is an autogenerated message for OBS integration: This bug (830498) was mentioned in https://build.opensuse.org/request/show/184015 Factory / libvirt
bugbot adjusting priority
closing