From ${URL} : Domblkstat is possible even with read-only connection, so whenever migration with spice is done and domblkstat gets called at the same time as qemuMonitorGetSpiceMigrationStatus(), there is certain possibility that the daemon crashes (null pointer dereference). An unprivileged user able to issue commands to running libvirtd could use this flaw to crash libvirtd and prevent more privileged clients from working correctly. Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=484cc321 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This was fixed for the 1.1.3 release. The oldest version in the tree is 1.1.3.3 which is unaffected. git describe --match=v* --contains 484cc321
Maintainer(s), Thank you for cleanup! Security please Vote!
Added to existing GLSA draft
CVE-2013-7336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7336): The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function.
This issue was resolved and addressed in GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
