Libvirt Security Notice: LSN-2012-0002 ====================================== Summary: Fix crash in libvirt clearing API parameters Reported on: 20120730 Published on: 20120730 Fixed on: 20120730 Reported by: Jiri Denemark Patched by: Jiri Denemark See also: CVE-2012-3445 Description ----------- The libvirtd daemon code which dispatches APIs with variable parameters, may end up walking off the end of an array which is only one element long when a client passes an nparams value of 0. If there is a byte with value 7 in an unfortunate place in the heap, this may cause an attempt to free non-allocated memory resulting in a crash Impact ------ A malicious client can cause access beyond the end of an array and potentially trigger heap corruption by free'ing non-allocated memory. Workaround ---------- None possible Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Fixed in: v0.10.0 Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931 Fixed by: 6039a2cb49c8af4c68460d2faf365a7e1c686c7b Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Fixed in: v0.9.11.5 Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931 Fixed by: 45d6729f98e9842b139b809078d43f1f7a8c779b Branch: v0.9.12-maint Fixed in: v0.9.12.1 Broken by: 40624d32fb54920e4aa434fbb2b8999d17e02931 Fixed by: 11568ec854413629ca28c4d64dbcda29337ae3e9