Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 475434 (CVE-2013-2218) - <app-emulation/libvirt-1.0.6-r1 : virConnectListAllInterfaces crash (CVE-2013-2218)
Summary: <app-emulation/libvirt-1.0.6-r1 : virConnectListAllInterfaces crash (CVE-2013...
Status: RESOLVED FIXED
Alias: CVE-2013-2218
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-01 16:57 UTC by Agostino Sarubbo
Modified: 2013-10-02 04:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-01 16:57:35 UTC 
From ${URL} :

Daniel P. Berrange reported:

"As non-root, simply run:

  # virsh -c qemu:///system --readonly iface-list --inactive                                                                                                                                                   

The libvirtd daemon will crash with one of a number of different
stack traces, for example:

*** Error in `/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd': invalid fastbin entry 
(free): 0x00007f03fc02a1b0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3cd5e7cef8)[0x7f0425cf7ef8]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virFree+0x2e)[0x7f04293fd79e]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogVMessage+0x37d)[0x7f042942384d]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogMessage+0x97)[0x7f0429423b27]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virObjectUnref+0x65)[0x7f04294324d5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virIdentitySetCurrent+0x35)[0x7f042941ae25]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virNetServerProgramDispatch+0x392)[0x7f0429539be2]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0x195d68)[0x7f0429533d68]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa62e5)[0x7f04294442e5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa594e)[0x7f042944394e]
/lib64/libpthread.so.0(+0x3cd6207c53)[0x7f0426449c53]
/lib64/libc.so.6(clone+0x6d)[0x7f0425d6fecd]

Looking at the code, we have a double-free of the 'struct netcf_if'
object when any of the filtering flags are set. Hence this only
happens if you pass  '--inactive' to virsh."

Upstream fix:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=244e0b8cf15ca2ef48d82058e728656e6c4bad11


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-07-01 21:06:20 UTC 
Only affected 1.0.6, which was only ever ~arch. The fix was committed at the same time the embargo was lifted.

Ball is in your court security herd.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 04:10:32 UTC 
CVE-2013-2218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2218):
  Double free vulnerability in the virConnectListAllInterfaces method in
  interface/interface_backend_netcf.c in libvirt 1.0.6 allows remote attackers
  to cause a denial of service (libvirtd crash) via a filtering flag that
  causes an interface to be skipped, as demonstrated by the "virsh iface-list
  --inactive" command.