Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486352 (CVE-2013-4377) - <app-emulation/qemu-1.7.1: Virtio Hot-Unplugging Use-After-Free Denial of Service Vulnerability (CVE-2013-4377)
Summary: <app-emulation/qemu-1.7.1: Virtio Hot-Unplugging Use-After-Free Denial of Ser...
Status: RESOLVED FIXED
Alias: CVE-2013-4377
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55015/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-28 18:45 UTC by Agostino Sarubbo
Modified: 2014-09-01 15:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-28 18:45:47 UTC
From ${URL} :

Description

A vulnerability has been reported in Qemu, which can be exploited by malicious, local users in a 
guest virtual machine to cause a DoS (Denial of Service).

The vulnerability is caused due to a use-after-free error when handling hot-unplugging of virtio 
devices and can be exploited to cause a crash of the Qemu daemon.

The vulnerability is reported in versions 1.4.0 through 1.6.0.


Solution:
No official solution is currently available.

Provided and/or discovered by:
Sibiao Luo, Red Hat

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=1012633




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-10-01 02:05:25 UTC
My plan is to fix this in 1.6.1 and stabilize that along with 1.5.4.
Comment 2 Thomas Stein 2013-10-14 10:10:03 UTC
Hola.

qemu-1.6.1 has already been released. But i bet you guys are aware of that.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-10-16 02:06:37 UTC
CVE-2013-4377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4377):
  Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0
  through 1.6.0 allows local users to cause a denial of service (daemon crash)
  by "hot-unplugging" a virtio device.
Comment 4 SpanKY gentoo-dev 2014-06-06 01:21:37 UTC
this was merged starting with the 1.7.1 release
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-01 15:34:56 UTC
This issue was resolved and addressed in GLSA 201408-17 at http://security.gentoo.org/glsa/glsa-201408-17.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).