Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 424165 (CVE-2012-2693) - <app-emulation/libvirt-0.9.12: possible data leak (CVE-2012-2693)
Summary: <app-emulation/libvirt-0.9.12: possible data leak (CVE-2012-2693)
Status: RESOLVED FIXED
Alias: CVE-2012-2693
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: C4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-29 21:07 UTC by GLSAMaker/CVETool Bot
Modified: 2012-07-19 20:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-06-29 21:07:21 UTC 
CVE-2012-2693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2693):
  libvirt, possibly before 0.9.12, does not properly assign USB devices to
  virtual machines when multiple devices have the same vendor and product ID,
  which might cause the wrong device to be associated with a guest and might
  allow local users to access unintended USB devices.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:32:59 UTC 
I've added the original RedHat bugzilla entry where I believe we discussed this originally. Unfortunately its locked so I can't confirm.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:37:37 UTC 
Just looking at the patches I believe fix this, it appears they are in 0.9.11.4 and 0.9.12.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2012-06-30 01:47:23 UTC 
FWIW, 0.9.12 and 0.9.11.4 are both in the tree and can be stabilized.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 20:13:30 UTC 
Thanks, Doug.

Arches, please test and mark stable:

=app-emulation/libvirt-0.9.11.4
=app-emulation/libvirt-0.9.12

Target KEYWORDS: "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-07-15 11:36:45 UTC 
amd64 stable
Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-18 05:18:22 UTC 
x86 stable
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-19 20:48:27 UTC 
Thanks, everyone.

Closing noglsa for C4 rating.