Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 487684 (CVE-2013-4399)

Summary: <app-emulation/libvirt-1.1.3 : Callbacks De-registration Handling Denial of Service Vulnerability (CVE-2013-4399)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cardoe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/55202/
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-10-11 18:58:58 UTC
From ${URL} :

Description

A vulnerability has been reported in libvirt, which can be exploited by malicious users to cause a 
DoS (Denial of Service).

The vulnerability is caused due to an error when handling callbacks deregistration via the 
"virConnectDomainEventDeregisterAny()" API function and can be exploited to cause a crash.

Successful exploitation requires the ACL drivers to be active.


Solution:
Fixed in the git repository.

Provided and/or discovered by:
Zhenfang Wang, Red Hat

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=1011429


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-10-11 19:57:32 UTC
1.0.5.6 is not vulnerable to this issue. Its only for 1.1.0 and greater. The bump with this fix is already in the tree as part of 1.1.3.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-10-12 03:43:31 UTC
Arches, please test and mark stable:                                                                                                           
=app-emulation/libvirt-1.1.3                                                                                  
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-12 16:09:41 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-13 10:32:14 UTC
x86 stable
Comment 5 Sergey Popov gentoo-dev 2013-10-16 09:39:37 UTC
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:47:53 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).