Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 454588 (CVE-2013-0170)

Summary: <app-emulation/libvirt-1.0.2-r2: "virNetMessageFree()" Use-After-Free Vulnerability (CVE-2013-0170)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: cardoe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/52003/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 458688    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-01-29 21:25:17 UTC
From $URL :

Description
A vulnerability has been reported in libvirt, which can be exploited by malicious people to 
potentially compromise a vulnerable system.

The vulnerability is caused due to a use-after-free error in the "virNetMessageFree()" function 
(src/rpc/virnetserverclient.c) and can be exploited to dereference already freed memory.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 1.0.1. Other versions may also be affected.


Solution
Fixed in the GIT repository.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-01-29 21:32:19 UTC
The advisory is a bit unfortunate. It affects a lot more versions than just 1.0.1 or 1.x. Perfect example is the fact that RHEL released updates for 0.9.6 and newer for Fedora and RHEL6.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-26 00:03:12 UTC
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:11:51 UTC
CVE-2013-0170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0170):
  Use-after-free vulnerability in the virNetMessageFree function in
  rpc/virnetserverclient.c libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3,
  0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to
  cause a denial of service (crash) and possibly execute arbitrary code by
  triggering certain errors during an RPC connection, which causes a message
  to be freed without being removed from the message queue.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 17:19:01 UTC
This issue was resolved and addressed in
 GLSA 201309-18 at http://security.gentoo.org/glsa/glsa-201309-18.xml
by GLSA coordinator Chris Reffett (creffett).