|Summary:||<app-emulation/libvirt-1.0.2-r2: "virNetMessageFree()" Use-After-Free Vulnerability (CVE-2013-0170)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||458688|
Description Agostino Sarubbo 2013-01-29 21:25:17 UTC
From $URL : Description A vulnerability has been reported in libvirt, which can be exploited by malicious people to potentially compromise a vulnerable system. The vulnerability is caused due to a use-after-free error in the "virNetMessageFree()" function (src/rpc/virnetserverclient.c) and can be exploited to dereference already freed memory. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 1.0.1. Other versions may also be affected. Solution Fixed in the GIT repository.
Comment 1 Doug Goldstein (RETIRED) 2013-01-29 21:32:19 UTC
The advisory is a bit unfortunate. It affects a lot more versions than just 1.0.1 or 1.x. Perfect example is the fact that RHEL released updates for 0.9.6 and newer for Fedora and RHEL6.
Comment 2 Doug Goldstein (RETIRED) 2013-01-29 22:41:59 UTC
Comment 3 Sean Amoss (RETIRED) 2013-02-26 00:03:12 UTC
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot 2013-03-04 23:11:51 UTC
CVE-2013-0170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0170): Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue.
Comment 5 GLSAMaker/CVETool Bot 2013-09-25 17:19:01 UTC
This issue was resolved and addressed in GLSA 201309-18 at http://security.gentoo.org/glsa/glsa-201309-18.xml by GLSA coordinator Chris Reffett (creffett).