Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 746119 (CVE-2020-25637)

Summary: <app-emulation/libvirt-6.8.0: double free in qemuAgentGetInterfaces() in qemu_agent.c (CVE-2020-25637)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: daggs, michal.privoznik, tamiko, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 753761    
Bug Blocks: 739948    

Description Agostino Sarubbo gentoo-dev 2020-10-02 09:45:12 UTC 
From https://www.openwall.com/lists/oss-security/2020/10/02/1 :

Hello,

A double free memory issue was found to occur in the libvirt API
responsible for requesting information about network interfaces of a
running QEMU domain. This flaw affects the polkit access control
driver. Specifically, clients connecting to the read-write socket with
limited ACL permissions could use this flaw to crash the libvirt
daemon, resulting in a denial of service, or potentially escalate
their privileges on the system.

CVE-2020-25637 has been assigned for this flaw.

Fixed in libvirt v6.8.0 (2020-10-01).

Upstream commits:
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05

Credit: Ilja Van Sprundel (IOActive).

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2020-10-02 17:05:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e783633710d2749ee0787dc1291708d3b1f1aa2

commit 6e783633710d2749ee0787dc1291708d3b1f1aa2
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2020-10-02 10:51:31 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-10-02 16:39:01 +0000

    libvirt: Version updated to 6.8.0.
    
    Bug: https://bugs.gentoo.org/746119
    
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest                     |   1 +
 app-emulation/libvirt/libvirt-6.8.0.ebuild         | 344 +++++++++++++++++++++
 dev-python/libvirt-python/Manifest                 |   1 +
 .../libvirt-python/libvirt-python-6.8.0.ebuild     |  46 +++
 4 files changed, 392 insertions(+)
Comment 2 Matthias Maier gentoo-dev 2020-10-02 17:06:32 UTC 
This is a minor issue. Let's hold off on stabilization for a bit.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-23 04:11:08 UTC 
Ready?
Comment 4 Matthias Maier gentoo-dev 2020-11-10 00:35:32 UTC 
Arches, please stabilize
Comment 5 NATTkA bot gentoo-dev Security 2020-11-10 00:37:48 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev Security 2020-11-10 01:13:13 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-10 18:12:11 UTC 
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-10 18:12:58 UTC 
x86 done

all arches done
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-10 20:47:30 UTC 
Thanks all. Maintainer, please cleanup.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 23:43:10 UTC 
Ping
Comment 11 Larry the Git Cow gentoo-dev 2020-12-25 20:03:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80d5e81147f726e386e76c37fb24df12c4db9077

commit 80d5e81147f726e386e76c37fb24df12c4db9077
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-12-25 20:03:31 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-12-25 20:03:31 +0000

    app-emulation/libvirt: drop vulnerable
    
    Bug: https://bugs.gentoo.org/746119
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest             |   1 -
 app-emulation/libvirt/libvirt-6.7.0.ebuild | 344 -----------------------------
 2 files changed, 345 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5db717a67be2fa3fe5722371d83aff37393045b2

commit 5db717a67be2fa3fe5722371d83aff37393045b2
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-12-25 20:02:25 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-12-25 20:02:25 +0000

    dev-python/libvirt-python: drop vulnerable
    
    Bug: https://bugs.gentoo.org/746119
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 dev-python/libvirt-python/Manifest                 |  3 +-
 .../libvirt-python/libvirt-python-6.7.0.ebuild     | 46 ----------------------
 2 files changed, 1 insertion(+), 48 deletions(-)
Comment 12 Matthias Maier gentoo-dev 2021-04-04 17:32:28 UTC 
*ping* securiy
Comment 13 NATTkA bot gentoo-dev Security 2021-07-29 17:25:51 UTC 
Package list is empty or all packages have requested keywords.
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 03:24:23 UTC 
GLSA request filed
Comment 15 Larry the Git Cow gentoo-dev 2022-10-16 14:46:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=48e6804ed5fa75343b7496c1033000fda3741b42

commit 48e6804ed5fa75343b7496c1033000fda3741b42
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:42:10 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:45:24 +0000

    [ GLSA 202210-06 ] libvirt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/746119
    Bug: https://bugs.gentoo.org/799713
    Bug: https://bugs.gentoo.org/812317
    Bug: https://bugs.gentoo.org/836128
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-06.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 14:58:20 UTC 
GLSA released, all done!