Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484014 (CVE-2013-4297) - <app-emulation/libvirt-1.1.2-r1: uninitialized pointer DoS (CVE-2013-4297)
Summary: <app-emulation/libvirt-1.1.2-r1: uninitialized pointer DoS (CVE-2013-4297)
Status: RESOLVED FIXED
Alias: CVE-2013-4297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://libvirt.org/git/?p=libvirt.git...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-06 15:48 UTC by Doug Goldstein (RETIRED)
Modified: 2014-12-08 23:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Goldstein (RETIRED) gentoo-dev 2013-09-06 15:48:22 UTC 
*reserved*

Unfortunately the issue has been made public by the publishing of the patch. Which is now committed upstream and tagged as the fix for CVE-2013-4297, but the CVE hasn't actually been published yet. Since the fix is out there might as well get it in Gentoo and stabilized.

target keywords: amd64 x86
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-07 19:08:23 UTC 
x86 stable
Comment 2 Agostino Sarubbo gentoo-dev 2013-09-07 19:08:35 UTC 
amd64 stable
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-09 02:22:10 UTC 
Waiting for CVE to be published to decide whether to GLSA.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-19 15:49:25 UTC 
[1] indicates that this is a DoS (invalid free) vuln.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1006505
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 04:07:11 UTC 
CVE-2013-4297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4297):
  The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2
  and earlier allows remote authenticated users to cause a denial of service
  (uninitialized pointer dereference and crash) via unspecified vectors.
Comment 6 Sergey Popov gentoo-dev 2013-10-02 09:19:35 UTC 
Added to existing GLSA draft
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:47:38 UTC 
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).