Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908042 (CVE-2023-2700) - <app-emulation/libvirt-9.3.0: large memory leak
Summary: <app-emulation/libvirt-9.3.0: large memory leak
Status: CONFIRMED
Alias: CVE-2023-2700
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/libvirt/libvirt/-/...
Whiteboard: A3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-08 04:43 UTC by John Helmert III
Modified: 2023-06-19 03:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-08 04:43:39 UTC
CVE-2023-2700:

A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup.
Comment 1 Larry the Git Cow gentoo-dev 2023-06-18 01:54:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c433fe97671c3f9786ffe2405e91ba9f00ae04fe

commit c433fe97671c3f9786ffe2405e91ba9f00ae04fe
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2023-06-18 01:42:49 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2023-06-18 01:54:05 +0000

    app-emulation/libvirt: drop 8.7.0-r1, 8.8.0-r1, 8.9.0, 8.9.0-r2, 9.2.0
    
    Bug: https://bugs.gentoo.org/908042
    Bug: https://bugs.gentoo.org/836128
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest                     |   8 -
 ....0-meson-Stop-detecting-Wl-version-script.patch |  55 ----
 ....0-meson-Stop-detecting-Wl-version-script.patch |  53 ---
 app-emulation/libvirt/libvirt-8.7.0-r1.ebuild      | 353 --------------------
 app-emulation/libvirt/libvirt-8.8.0-r1.ebuild      | 353 --------------------
 app-emulation/libvirt/libvirt-8.9.0-r2.ebuild      | 360 ---------------------
 app-emulation/libvirt/libvirt-8.9.0.ebuild         | 356 --------------------
 app-emulation/libvirt/libvirt-9.2.0.ebuild         | 359 --------------------
 8 files changed, 1897 deletions(-)
Comment 2 Matthias Maier gentoo-dev 2023-06-18 01:58:21 UTC
The fix is found in

  commit 6425a311b8ad19d6f9c0b315bf1d722551ea3585
  Author: Tim Shearer <TShearer@adva.com>
  Date:   Mon May 1 13:15:48 2023 +0000

which is already part of the 9.3.0 release which is already stabilized in Gentoo.