Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504996 (CVE-2013-7336) - <app-emulation/libvirt-1.1.3: unprivileged user can crash libvirtd during spice migration (CVE-2013-7336)
Summary: <app-emulation/libvirt-1.1.3: unprivileged user can crash libvirtd during spi...
Alias: CVE-2013-7336
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2014-03-18 16:56 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-18 16:56:55 UTC
From ${URL} :

Domblkstat is possible even with read-only connection, so whenever
migration with spice is done and domblkstat gets called at the same time
as qemuMonitorGetSpiceMigrationStatus(), there is certain possibility
that the daemon crashes (null pointer dereference).

An unprivileged user able to issue commands to running libvirtd could
use this flaw to crash libvirtd and prevent more privileged clients
from working correctly.

Upstream fix:;a=commit;h=484cc321

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2014-04-20 17:23:11 UTC
This was fixed for the 1.1.3 release. The oldest version in the tree is which is unaffected.

git describe --match=v* --contains 484cc321
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-04-24 05:54:28 UTC
Maintainer(s), Thank you for cleanup!

Security please Vote!
Comment 3 Sergey Popov gentoo-dev 2014-05-11 11:44:07 UTC
Added to existing GLSA draft
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 22:11:02 UTC
CVE-2013-7336 (
  The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt
  before 1.1.3 does not properly enter a monitor when performing seamless
  SPICE migration, which allows local users to cause a denial of service (NULL
  pointer dereference and libvirtd crash) by causing domblkstat to be called
  at the same time as the qemuMonitorGetSpiceMigrationStatus function.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:48:38 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).