Bug 424165 (CVE-2012-2693)

Summary:	<app-emulation/libvirt-0.9.12: possible data leak (CVE-2012-2693)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	cardoe, virtualization
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2693
See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=815755
Whiteboard:	C4 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2012-06-29 21:07:21 UTC

CVE-2012-2693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2693):
  libvirt, possibly before 0.9.12, does not properly assign USB devices to
  virtual machines when multiple devices have the same vendor and product ID,
  which might cause the wrong device to be associated with a guest and might
  allow local users to access unintended USB devices.

Comment 1 Doug Goldstein (RETIRED) gentoo-dev

2012-06-30 01:32:59 UTC

I've added the original RedHat bugzilla entry where I believe we discussed this originally. Unfortunately its locked so I can't confirm.

Comment 2 Doug Goldstein (RETIRED) gentoo-dev

2012-06-30 01:37:37 UTC

Just looking at the patches I believe fix this, it appears they are in 0.9.11.4 and 0.9.12.

Comment 3 Doug Goldstein (RETIRED) gentoo-dev

2012-06-30 01:47:23 UTC

FWIW, 0.9.12 and 0.9.11.4 are both in the tree and can be stabilized.

Comment 4 Sean Amoss (RETIRED) gentoo-dev

2012-07-11 20:13:30 UTC

Thanks, Doug.

Arches, please test and mark stable:

=app-emulation/libvirt-0.9.11.4
=app-emulation/libvirt-0.9.12

Target KEYWORDS: "amd64 x86"

Comment 5 Agostino Sarubbo gentoo-dev

2012-07-15 11:36:45 UTC

amd64 stable

Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-07-18 05:18:22 UTC

x86 stable

Comment 7 Sean Amoss (RETIRED) gentoo-dev

2012-07-19 20:48:27 UTC

Thanks, everyone.

Closing noglsa for C4 rating.