Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 424165 (CVE-2012-2693)

Summary: <app-emulation/libvirt-0.9.12: possible data leak (CVE-2012-2693)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: cardoe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: C4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-06-29 21:07:21 UTC
CVE-2012-2693 (
  libvirt, possibly before 0.9.12, does not properly assign USB devices to
  virtual machines when multiple devices have the same vendor and product ID,
  which might cause the wrong device to be associated with a guest and might
  allow local users to access unintended USB devices.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:32:59 UTC
I've added the original RedHat bugzilla entry where I believe we discussed this originally. Unfortunately its locked so I can't confirm.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:37:37 UTC
Just looking at the patches I believe fix this, it appears they are in and 0.9.12.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:47:23 UTC
FWIW, 0.9.12 and are both in the tree and can be stabilized.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 20:13:30 UTC
Thanks, Doug.

Arches, please test and mark stable:


Target KEYWORDS: "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-07-15 11:36:45 UTC
amd64 stable
Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-18 05:18:22 UTC
x86 stable
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-19 20:48:27 UTC
Thanks, everyone.

Closing noglsa for C4 rating.