Bug 838642 (CVE-2013-4297) - VUL-1: CVE-2013-4297: libvirt: Fix crash in virFileNBDDeviceAssociate
Summary: VUL-1: CVE-2013-4297: libvirt: Fix crash in virFileNBDDeviceAssociate
Status: VERIFIED UPSTREAM
Alias: CVE-2013-4297
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: James Fehlig
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-05 11:17 UTC by Marcus Meissner
Modified: 2021-08-11 09:38 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Backport of upstream commit 2dba0323 for libvirt 1.1.2 (702 bytes, patch)
2013-09-05 18:31 UTC, James Fehlig 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-09-05 11:17:42 UTC 
semi embargoed via libvirt security list, 

2 week embargo starting Sep 3, but no specific date set yet
so perhaps CRD 2013-09-17

CVE-2013-4297

https://www.redhat.com/archives/libvir-list/2013-September/msg00205.html                                                                                                                     
From: "Daniel P. Berrange" <berrange@redhat.com>

If there were no free NBD devices found, then it was possible
to jump to a cleanup block which calls VIR_FREE on an uninitialized
string pointer.

This would cause the libvirt_lxc process to crash when starting an
LXC guest if NBD devices were exhausted.

If fine grained ACLs are active and the user is only given permission
to start/stop guests, then this flaw can be classed as a security issue
since the libvirt_lxc process will not have finished setting up the
container security confinement at this point and the user triggering it
is less privileged than root.

This was introduced in release v1.0.6 onwards by

  commit 8aabd597b379db5ae1655e36dff4f10d5622830a
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Apr 22 15:06:16 2013 +0100

    Add a helper API for setting up a NBD device with qemu-nbd

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 1 Alexander Bergmann 2013-09-05 12:19:51 UTC 
SLE-10-SP4     Not affected     0.3.3
SLE-11-SP2     Not affected     0.9.6 
SLE-11-SP3     Not affected   1.0.5.4
Comment 2 Alexander Bergmann 2013-09-05 12:58:01 UTC 
openSUSE:12.2  Not affected  0.9.11.9
openSUSE:12.3  Not affected  1.0.2
Comment 3 James Fehlig 2013-09-05 18:28:46 UTC 
This only affects Factory, but I suppose I can't really submit it there due to the "semi-embargo".  The fix is already in libvirt.git

http://libvirt.org/git/?p=libvirt.git;a=commit;h=2dba0323ff0cec31bdcea9dd3b2428af297401f2

but as noted on the libvirt-security list the commit message doesn't mention any vulnerability, so still embargoed :-/.

Should the bug remain open until Factory/13.1 is fixed?
Comment 4 James Fehlig 2013-09-05 18:31:47 UTC 
Created attachment 556046 [details]
Backport of upstream commit 2dba0323 for libvirt 1.1.2

This is a backport of the commit for libvirt 1.1.2, which I'm hoping will be accepted to Factory for 13.1 beta1 - see SR#197361.
Comment 5 Bernhard Wiedemann 2013-10-02 22:00:56 UTC 
This is an autogenerated message for OBS integration:
This bug (838642) was mentioned in
https://build.opensuse.org/request/show/201962 Factory / libvirt