746119 – (CVE-2020-25637) <app-emulation/libvirt-6.8.0: double free in qemuAgentGetInterfaces() in qemu_agent.c (CVE-2020-25637)

Bug 746119 (CVE-2020-25637) - <app-emulation/libvirt-6.8.0: double free in qemuAgentGetInterfaces() in qemu_agent.c (CVE-2020-25637)

Summary: <app-emulation/libvirt-6.8.0: double free in qemuAgentGetInterfaces() in qemu...

Status:	RESOLVED FIXED

Alias:	CVE-2020-25637

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	753761
Blocks:	CVE-2020-14339
	Show dependency tree

Reported:	2020-10-02 09:45 UTC by Agostino Sarubbo
Modified:	2022-10-16 14:58 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2020-10-02 09:45:12 UTC

From https://www.openwall.com/lists/oss-security/2020/10/02/1 :

Hello,

A double free memory issue was found to occur in the libvirt API
responsible for requesting information about network interfaces of a
running QEMU domain. This flaw affects the polkit access control
driver. Specifically, clients connecting to the read-write socket with
limited ACL permissions could use this flaw to crash the libvirt
daemon, resulting in a denial of service, or potentially escalate
their privileges on the system.

CVE-2020-25637 has been assigned for this flaw.

Fixed in libvirt v6.8.0 (2020-10-01).

Upstream commits:
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05

Credit: Ilja Van Sprundel (IOActive).

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Larry the Git Cow gentoo-dev

2020-10-02 17:05:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e783633710d2749ee0787dc1291708d3b1f1aa2

commit 6e783633710d2749ee0787dc1291708d3b1f1aa2
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2020-10-02 10:51:31 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-10-02 16:39:01 +0000

    libvirt: Version updated to 6.8.0.
    
    Bug: https://bugs.gentoo.org/746119
    
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest                     |   1 +
 app-emulation/libvirt/libvirt-6.8.0.ebuild         | 344 +++++++++++++++++++++
 dev-python/libvirt-python/Manifest                 |   1 +
 .../libvirt-python/libvirt-python-6.8.0.ebuild     |  46 +++
 4 files changed, 392 insertions(+)

Comment 2 Matthias Maier gentoo-dev

2020-10-02 17:06:32 UTC

This is a minor issue. Let's hold off on stabilization for a bit.

Comment 3 Sam James archtester

2020-10-23 04:11:08 UTC

Ready?

Comment 4 Matthias Maier gentoo-dev

2020-11-10 00:35:32 UTC

Arches, please stabilize

Comment 5 NATTkA bot gentoo-dev

2020-11-10 00:37:48 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/libvirt-python-6.8.0-r1

Comment 6 NATTkA bot gentoo-dev

2020-11-10 01:13:13 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 7 Sam James archtester

2020-11-10 18:12:11 UTC

amd64 done

Comment 8 Sam James archtester

2020-11-10 18:12:58 UTC

x86 done

all arches done

Comment 9 John Helmert III archtester

2020-11-10 20:47:30 UTC

Thanks all. Maintainer, please cleanup.

Comment 10 John Helmert III archtester

2020-12-19 23:43:10 UTC

Ping

Comment 11 Larry the Git Cow gentoo-dev

2020-12-25 20:03:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80d5e81147f726e386e76c37fb24df12c4db9077

commit 80d5e81147f726e386e76c37fb24df12c4db9077
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-12-25 20:03:31 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-12-25 20:03:31 +0000

    app-emulation/libvirt: drop vulnerable
    
    Bug: https://bugs.gentoo.org/746119
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest             |   1 -
 app-emulation/libvirt/libvirt-6.7.0.ebuild | 344 -----------------------------
 2 files changed, 345 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5db717a67be2fa3fe5722371d83aff37393045b2

commit 5db717a67be2fa3fe5722371d83aff37393045b2
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-12-25 20:02:25 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-12-25 20:02:25 +0000

    dev-python/libvirt-python: drop vulnerable
    
    Bug: https://bugs.gentoo.org/746119
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 dev-python/libvirt-python/Manifest                 |  3 +-
 .../libvirt-python/libvirt-python-6.7.0.ebuild     | 46 ----------------------
 2 files changed, 1 insertion(+), 48 deletions(-)

Comment 12 Matthias Maier gentoo-dev

2021-04-04 17:32:28 UTC

*ping* securiy

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:25:51 UTC

Package list is empty or all packages have requested keywords.

Comment 14 John Helmert III archtester

2022-10-14 03:24:23 UTC

GLSA request filed

Comment 15 Larry the Git Cow gentoo-dev

2022-10-16 14:46:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=48e6804ed5fa75343b7496c1033000fda3741b42

commit 48e6804ed5fa75343b7496c1033000fda3741b42
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:42:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:24 +0000

    [ GLSA 202210-06 ] libvirt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/746119
    Bug: https://bugs.gentoo.org/799713
    Bug: https://bugs.gentoo.org/812317
    Bug: https://bugs.gentoo.org/836128
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-06.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

Comment 16 John Helmert III archtester

2022-10-16 14:58:20 UTC

GLSA released, all done!