Bugzilla – Bug 838638
VUL-1: CVE-2013-4296: libvirt: Fix crash in remoteDispatchDomainMemoryStats
Last modified: 2013-11-11 09:22:09 UTC
via libvirt security list, NOT YET PUBLIC CRD 2013-09-17 proposed From: "Daniel P. Berrange" <berrange@redhat.com> Subject: [Libvirt-Security] [PATCH] Fix crash in remoteDispatchDomainMemoryStats Date: Tue, 3 Sep 2013 16:52:06 +0100 From: "Daniel P. Berrange" <berrange@redhat.com> The 'stats' variable was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. This is a security flaw, since the API can be called from a readonly connection which can trigger the validation checks. This was introduced in release v0.9.1 onwards by commit 158ba8730e44b7dd07a21ab90499996c5dec080a Author: Daniel P. Berrange <berrange@redhat.com> Date: Wed Apr 13 16:21:35 2011 +0100 Merge all returns paths from dispatcher into single path Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- daemon/remote.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/remote.c b/daemon/remote.c index 1408798..0f015a3 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED, remote_domain_memory_stats_ret *ret) { virDomainPtr dom = NULL; - struct _virDomainMemoryStat *stats; + struct _virDomainMemoryStat *stats = NULL; int nr_stats; size_t i; int rv = -1; -- 1.8.3.1
CVE-2013-4296
SLE-10-SP4 Not affected 0.3.3 SLE-11-SP2 Affected 0.9.6 SLE-11-SP3 Affected 1.0.5.4
openSUSE:12.2 Affected 0.9.11.9 openSUSE:12.3 Affected 1.0.2
bugbot adjusting priority
It was agreed to pull the CRD forward to Sept 11th to bundle it with CVE-2013-4311.
The SWAMPID for this issue is 54477. This issue was rated as moderate. Please submit fixed packages until 2013-10-04. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Fixed packages already submitted to SLE11 SP2/3 as noted in #6. I've now taken care of openSUSE as well openSUSE12.2, SR#201960 openSUSE12.3, SR#201961 openSUSE13.1/Factory, SR#201962 I'm done here, reassigning to security team.
This is an autogenerated message for OBS integration: This bug (838638) was mentioned in https://build.opensuse.org/request/show/201960 12.2 / libvirt https://build.opensuse.org/request/show/201961 12.3 / libvirt https://build.opensuse.org/request/show/201962 Factory / libvirt
openSUSE-SU-2013:1549-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 836931,838638 CVE References: CVE-2013-4296,CVE-2013-4311 Sources used: openSUSE 12.2 (src): libvirt-0.9.11.9-1.13.1
openSUSE-SU-2013:1550-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 810611,820888,836931,837999,838638 CVE References: CVE-2013-4296,CVE-2013-4311,CVE-2013-5651 Sources used: openSUSE 12.3 (src): libvirt-1.0.2-1.10.1
released
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-python Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)