Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 647338 (CVE-2018-5748)

Summary: <app-emulation/libvirt-4.0.0: Memory comsumption vulnerability
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: tamiko, virtualization
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=646814
Whiteboard: B3 [glsa+ cve]
Package list:
app-emulation/libvirt-4.0.0 dev-python/libvirt-python-4.0.0
Runtime testing required: ---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-11 20:39:07 UTC
CVE-2018-5748 (https://nvd.nist.gov/vuln/detail/CVE-2018-5748):
  qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service
  (memory consumption) via a large QEMU reply.
Comment 1 Matthias Maier gentoo-dev 2018-02-12 01:13:55 UTC
Fix already in tree.

Arches, please stabilize
  app-emulation/libvirt-4.0.0
  dev-python/libvirt-python-4.0.0
Comment 2 Agostino Sarubbo gentoo-dev 2018-02-12 11:48:12 UTC
amd64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-12 21:38:11 UTC
x86 stable
Comment 4 Larry the Git Cow gentoo-dev 2018-02-12 22:48:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=017994497fab0a159e8adc4a73a10c3268f46601

commit 017994497fab0a159e8adc4a73a10c3268f46601
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-02-12 22:44:00 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-02-12 22:48:29 +0000

    app-emulation/libvirt: drop vulnerable versions (3.8*, 3.10*)
    
    Bug: https://bugs.gentoo.org/647338
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/libvirt/Manifest                     |   2 -
 .../libvirt-3.0.0-fix_paths_for_apparmor.patch     |  79 -----
 .../files/libvirt-3.8.0-CVE-2017-1000256.patch     |  74 ----
 app-emulation/libvirt/libvirt-3.10.0-r2.ebuild     | 382 ---------------------
 app-emulation/libvirt/libvirt-3.8.0-r1.ebuild      | 381 --------------------
 app-emulation/libvirt/libvirt-9999.ebuild          |   2 +-
 6 files changed, 1 insertion(+), 919 deletions(-)}
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 23:29:23 UTC
This issue was resolved and addressed in
 GLSA 201804-07 at https://security.gentoo.org/glsa/201804-07
by GLSA coordinator Aaron Bauman (b-man).