A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c32491d0bcded18663dd976934ad5c10b29d4c2 commit 3c32491d0bcded18663dd976934ad5c10b29d4c2 Author: Michal Privoznik <michal.privoznik@gmail.com> AuthorDate: 2024-04-13 18:53:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-14 00:41:53 +0000 app-emulation/libvirt: Backport fix for CVE-2024-2494 The fix made it into app-emulation/libvirt-10.2.0 release. Backport the fix into anything older. https://nvd.nist.gov/vuln/detail/CVE-2024-2494 Bug: https://bugs.gentoo.org/929966 Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/36242 Signed-off-by: Sam James <sam@gentoo.org> ...k-for-negative-array-lengths-before-alloc.patch | 222 +++++++++++++++++++++ ...t-10.0.0-r1.ebuild => libvirt-10.0.0-r2.ebuild} | 1 + ...virt-10.1.0.ebuild => libvirt-10.1.0-r1.ebuild} | 1 + ...irt-9.8.0-r1.ebuild => libvirt-9.8.0-r2.ebuild} | 1 + ...irt-9.9.0-r1.ebuild => libvirt-9.9.0-r2.ebuild} | 1 + 5 files changed, 226 insertions(+)
