Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 532204 (CVE-2014-8131)

Summary: <app-emulation/libvirt-1.2.10-r2: deadlock and segfault in qemuConnectGetAllDomainStats (CVE-2014-8131)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cardoe, tamiko, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1172569
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-10 22:03:17 UTC
From ${URL}:
When user doesn't have read access on one of the domains he requested,
the for loop in qemuConnectGetAllDomainStats() could exit abruptly or
continue and override pointer which pointed to locked object.

With certain configuration, this can either cause a deadlock (it leaves a
domain locked) or a segmentation fault when domain object has its reference
counter decremented when it was not incremented.

With certain configuration, a remote attacker able to establish a read-only
connection to libvirtd could use this flaw to caus denial of service condition
or crash libvirtd.

Introduced by:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=d1bde8ed
http://libvirt.org/git/?p=libvirt.git;a=commit;h=1f4831ee

Upstream patch:
https://www.redhat.com/archives/libvir-list/2014-December/msg00551.html
Comment 1 Matthias Maier gentoo-dev 2014-12-10 22:56:23 UTC
*libvirt-1.2.10-r1 (10 Dec 2014)

  10 Dec 2014; Matthias Maier <tamiko@gentoo.org>
  +files/libvirt-1.2.10-cve-2014-8131.patch, +libvirt-1.2.10-r1.ebuild,
  -libvirt-1.2.10.ebuild, -libvirt-1.2.9.1-r1.ebuild:
  fix for CVE-2014-8131, bug #532204, drop vulnerable unstable

Vulnerable version left in tree: 1.2.9-r2.

I wanted to start the stabilization of libvirt-1.2.10 today anyway. So we just go for it :-)


Arches, please mark stable app-emulation/libvirt-1.2.10-r1

Target keywords: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-11 08:50:44 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-11 08:50:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Matthias Maier gentoo-dev 2014-12-11 09:05:33 UTC
  11 Dec 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.2.9-r2.ebuild:
  drop vulnerable version, CVE-2014-8131, bug #532204
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-11 09:10:27 UTC
GLSA Vote: No
Comment 6 Matthias Maier gentoo-dev 2014-12-11 14:41:46 UTC
*libvirt-1.2.10-r2 (11 Dec 2014)

  11 Dec 2014; Matthias Maier <tamiko@gentoo.org>
  +files/libvirt-1.2.10-cve-2014-8131-part2.patch, +libvirt-1.2.10-r2.ebuild:
  Apply followup patch as well, CVE-2014-8131, bug #532204


The upstream patch 57023c0a3af4af1c547189c1f6712ed5edeb0c0b as applied in 1.2.10-r1 did open up another security issue [1]. Applied the followup commit cb104ef734dfea12cb8826dba7e2c98912c4b7e1 that fixes it to version 1.2.10-r2.

[1] https://www.redhat.com/archives/libvir-list/2014-December/msg00624.html


Arches, please stabilize app-emulation/libvirt-1.2.10-r2

Target-keywords: amd64 x86
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-12 09:09:58 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-12 09:23:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Matthias Maier gentoo-dev 2014-12-12 10:29:45 UTC
  12 Dec 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.2.10-r1.ebuild:
  drop vulnerable version, CVE-2014-8131, bug #532204
Comment 10 Sergey Popov gentoo-dev 2014-12-24 20:21:07 UTC
Added to existing GLSA request
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 21:11:41 UTC
This issue was resolved and addressed in
 GLSA 201412-36 at http://security.gentoo.org/glsa/glsa-201412-36.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).