Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258777 (CVE-2009-0036) - app-emulation/libvirt libvirt_proxy privilege escalation (CVE-2009-0036)
Summary: app-emulation/libvirt libvirt_proxy privilege escalation (CVE-2009-0036)
Status: RESOLVED FIXED
Alias: CVE-2009-0036
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-12 20:27 UTC by Robert Buchholz (RETIRED)
Modified: 2009-12-23 17:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 20:27:15 UTC 
CVE-2009-0036 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0036):
  Buffer overflow in the proxyReadClientSocket function in
  proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users
  to gain privileges by sending a portion of the header of a
  virProxyPacket packet, and then sending the remainder of the packet
  with crafted values in the header, related to use of uninitialized
  memory in a validation check.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2009-06-09 13:37:32 UTC 
Oldest version in the tree is 0.6.3. Looking for feedback from the security team.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-12-23 17:02:18 UTC 
Sorry for the mis-reassignment.

But since we don't have stable for libvirt, and we don't have that version around for a looong time, can we just close this up?

Thanks.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-23 17:07:55 UTC 
libvirt 0.7.2, the oldest version in the tree has the patch [0] applied.
Closing noglsa.

[0] https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html