From http://www.openwall.com/lists/oss-security/2013/07/19/9 : A part of the returned monitor response was freed twice and caused crashes of the daemon when using guest agent cpu count retrieval. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd or, potentially, escalate their privileges to that of libvirtd process. References: https://bugzilla.redhat.com/show_bug.cgi?id=986383 https://bugzilla.redhat.com/show_bug.cgi?id=984821 https://www.redhat.com/archives/libvir-list/2013-July/msg01035.html Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=dfc692350a04a70b4ca65667c30869b3bfdaf034 From http://www.openwall.com/lists/oss-security/2013/07/19/10 : If users haven't configured guest agent then qemuAgentCommand() will dereference a NULL 'mon' pointer. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd. References: https://bugzilla.redhat.com/show_bug.cgi?id=986386 https://bugzilla.redhat.com/show_bug.cgi?id=984821 https://www.redhat.com/archives/libvir-list/2013-July/msg00992.html Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=96518d4316b711c72205117f8d5c967d5127bbb6
Issue is already fixed in the tree (libvirt-1.1.0-r3) and affected ebuilds (libvirt-1.1.0{,-r1,-r2}) have been removed from the tree. No versions affected by this issue ever went stable.
CVE-2013-4154 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4154): The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command. CVE-2013-4153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4153): Double free vulnerability in the qemuAgentGetVCPUs function in qemu/qemu_agent.c in libvirt 1.0.6 through 1.1.0 allows remote attackers to cause a denial of service (daemon crash) via a cpu count request, as demonstrated by the "virsh vcpucount dom --guest" command.