CVE-2022-0897: A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f80abc70fa18166129b827b6ed4c671cb5c656b0 commit f80abc70fa18166129b827b6ed4c671cb5c656b0 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-04-03 04:04:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-04-03 04:35:37 +0000 app-emulation/libvirt: add 8.2.0 * Add 8.2.0 * Tighten up some lower bounds on dependencies * Add shorewall to init script 'after' Bug: https://bugs.gentoo.org/836128 Closes: https://bugs.gentoo.org/833754 Closes: https://bugs.gentoo.org/831121 Signed-off-by: Sam James <sam@gentoo.org> app-emulation/libvirt/Manifest | 2 + app-emulation/libvirt/files/libvirtd.init-r19 | 2 +- app-emulation/libvirt/libvirt-8.2.0.ebuild | 336 ++++++++++++++++++++++++++ app-emulation/libvirt/libvirt-9999.ebuild | 52 ++-- app-emulation/libvirt/metadata.xml | 4 + 5 files changed, 368 insertions(+), 28 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=48e6804ed5fa75343b7496c1033000fda3741b42 commit 48e6804ed5fa75343b7496c1033000fda3741b42 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:42:10 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:24 +0000 [ GLSA 202210-06 ] libvirt: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/746119 Bug: https://bugs.gentoo.org/799713 Bug: https://bugs.gentoo.org/812317 Bug: https://bugs.gentoo.org/836128 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-06.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
Michal, tamiko, any reason to keep old libvirts around here?