Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487684 (CVE-2013-4399) - <app-emulation/libvirt-1.1.3 : Callbacks De-registration Handling Denial of Service Vulnerability (CVE-2013-4399)
Summary: <app-emulation/libvirt-1.1.3 : Callbacks De-registration Handling Denial of S...
Status: RESOLVED FIXED
Alias: CVE-2013-4399
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55202/
Whiteboard: C3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-11 18:58 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-11 18:58:58 UTC
From ${URL} :

Description

A vulnerability has been reported in libvirt, which can be exploited by malicious users to cause a 
DoS (Denial of Service).

The vulnerability is caused due to an error when handling callbacks deregistration via the 
"virConnectDomainEventDeregisterAny()" API function and can be exploited to cause a crash.

Successful exploitation requires the ACL drivers to be active.


Solution:
Fixed in the git repository.

Provided and/or discovered by:
Zhenfang Wang, Red Hat

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=1011429


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Doug Goldstein gentoo-dev 2013-10-11 19:57:32 UTC
1.0.5.6 is not vulnerable to this issue. Its only for 1.1.0 and greater. The bump with this fix is already in the tree as part of 1.1.3.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2013-10-12 03:43:31 UTC
Arches, please test and mark stable:                                                                                                           
=app-emulation/libvirt-1.1.3                                                                                  
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-12 16:09:41 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-13 10:32:14 UTC
x86 stable
Comment 5 Sergey Popov gentoo-dev 2013-10-16 09:39:37 UTC
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:47:53 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).