477460 – (CVE-2013-4153) <app-emulation/libvirt-1.1.0-r3 : Two Denial of Service and potential privilege escalation (CVE-2013-{4153,4154})

Bug 477460 (CVE-2013-4153) - <app-emulation/libvirt-1.1.0-r3 : Two Denial of Service and potential privilege escalation (CVE-2013-{4153,4154})

Summary: <app-emulation/libvirt-1.1.0-r3 : Two Denial of Service and potential privile...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4153

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://openwall.com/lists/oss-securit...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-07-20 08:12 UTC by Agostino Sarubbo
Modified:	2013-10-02 04:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-07-20 08:12:43 UTC

From http://www.openwall.com/lists/oss-security/2013/07/19/9 :

A part of the returned monitor response was freed twice and caused
crashes of the daemon when using guest agent cpu count retrieval.

A remote user able to issue commands to libvirt daemon could use this
flaw to crash libvirtd or, potentially, escalate their privileges to
that of libvirtd process.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=986383
https://bugzilla.redhat.com/show_bug.cgi?id=984821
https://www.redhat.com/archives/libvir-list/2013-July/msg01035.html

Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=dfc692350a04a70b4ca65667c30869b3bfdaf034



From http://www.openwall.com/lists/oss-security/2013/07/19/10 :

If users haven't configured guest agent then qemuAgentCommand() will
dereference a NULL 'mon' pointer.

A remote user able to issue commands to libvirt daemon could use this
flaw to crash libvirtd.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=986386
https://bugzilla.redhat.com/show_bug.cgi?id=984821
https://www.redhat.com/archives/libvir-list/2013-July/msg00992.html

Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=96518d4316b711c72205117f8d5c967d5127bbb6

Comment 1 Doug Goldstein (RETIRED) gentoo-dev

2013-07-20 12:58:45 UTC

Issue is already fixed in the tree (libvirt-1.1.0-r3) and affected ebuilds (libvirt-1.1.0{,-r1,-r2}) have been removed from the tree. No versions affected by this issue ever went stable.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2013-10-02 04:08:07 UTC

CVE-2013-4154 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4154):
  The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is
  not configured, allows remote attackers to cause a denial of service (NULL
  pointer dereference and crash) via vectors related to "agent based cpu
  (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command.

CVE-2013-4153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4153):
  Double free vulnerability in the qemuAgentGetVCPUs function in
  qemu/qemu_agent.c in libvirt 1.0.6 through 1.1.0 allows remote attackers to
  cause a denial of service (daemon crash) via a cpu count request, as
  demonstrated by the "virsh vcpucount dom --guest" command.