Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524184 (CVE-2014-3633) - <app-emulation/libvirt-1.2.9: Querying blkiotune after disk hotplug can lead to libvirtd crash (CVE-2014-3633)
Summary: <app-emulation/libvirt-1.2.9: Querying blkiotune after disk hotplug can lead ...
Status: RESOLVED FIXED
Alias: CVE-2014-3633
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://security.libvirt.org/2014/0004...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-01 07:20 UTC by Agostino Sarubbo
Modified: 2014-12-08 23:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-01 07:20:55 UTC
From ${URL} :

Description:
The qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition. If management had hot-plugged disks to the live definition, the 
two arrays are not necessarily the same length, and this could result in the persistent definition dereferencing an out-of-bounds pointer.

Impact:
A read-only client can cause a denial of service attack against a privileged client if the out-of-bounds dereference causes libvirtd to crash, or possibly gain read access to sensitive information residing in the heap.

Workaround:
The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the 
problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-10-22 09:16:17 UTC
1.2.9 contains the fix.
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-27 14:09:50 UTC
Arches, please test and mark stable:
=app-emulation/libvirt-1.2.9
=dev-python/libvirt-python-1.2.9
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-27 14:17:32 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-27 14:18:51 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Matthias Maier gentoo-dev 2014-10-31 06:59:26 UTC
  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-1.1.3.4.ebuild,
  -libvirt-1.2.3.ebuild, -libvirt-1.2.5.ebuild, -libvirt-1.2.6.ebuild:
  remove old due to bug 524184 (CVE-2014-3633)

  31 Oct 2014; Matthias Maier <tamiko@gentoo.org> -libvirt-python-1.2.3.ebuild,
  -libvirt-python-1.2.4.ebuild, -libvirt-python-1.2.5.ebuild,
  -libvirt-python-1.2.6.ebuild:
  synchronize with app-emulation/libvirt and drop old
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2014-12-08 23:25:30 UTC
Added to existing GLSA draft
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 23:48:53 UTC
This issue was resolved and addressed in
 GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).