CVE-2023-2700: A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c433fe97671c3f9786ffe2405e91ba9f00ae04fe commit c433fe97671c3f9786ffe2405e91ba9f00ae04fe Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-06-18 01:42:49 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-06-18 01:54:05 +0000 app-emulation/libvirt: drop 8.7.0-r1, 8.8.0-r1, 8.9.0, 8.9.0-r2, 9.2.0 Bug: https://bugs.gentoo.org/908042 Bug: https://bugs.gentoo.org/836128 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/libvirt/Manifest | 8 - ....0-meson-Stop-detecting-Wl-version-script.patch | 55 ---- ....0-meson-Stop-detecting-Wl-version-script.patch | 53 --- app-emulation/libvirt/libvirt-8.7.0-r1.ebuild | 353 -------------------- app-emulation/libvirt/libvirt-8.8.0-r1.ebuild | 353 -------------------- app-emulation/libvirt/libvirt-8.9.0-r2.ebuild | 360 --------------------- app-emulation/libvirt/libvirt-8.9.0.ebuild | 356 -------------------- app-emulation/libvirt/libvirt-9.2.0.ebuild | 359 -------------------- 8 files changed, 1897 deletions(-)
The fix is found in commit 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Author: Tim Shearer <TShearer@adva.com> Date: Mon May 1 13:15:48 2023 +0000 which is already part of the 9.3.0 release which is already stabilized in Gentoo.
I believe this ticket can be closed as <=9.3.0 is not longer available in the repository.
(In reply to richard+gentoo-bugzilla from comment #3) > I believe this ticket can be closed as <=9.3.0 is not longer available in > the repository. We still need to publish a GLSA for it, but we have a backlog for those right now.
