Libvirt Security Notice: LSN-2012-0003

Crash of libvirt when dispatching illegal RPC procedure

Lifecycle

Reported on: 20120913
Published on: 20120724
Fixed on: 20120914

Credits

Reported by: Wenlong Huang
Patched by: Martin Kletzander

See also

Description

Sending RPC message with an event number as the RPC procedure number could lead to the daemon accessing a NULL pointer in the RPC dispatch table.

Impact

A malicious client could cause the libvirtd daemon to crash resulting in a denial of service attack.

Workaround

Update the UNIX socket permissions to prevent a malicious user from connecting to libvirtd.

Affected product: libvirt

Branch master
Broken in: v0.7.0
Broken in: v0.7.1
Broken in: v0.7.2
Broken in: v0.7.3
Broken in: v0.7.4
Broken in: v0.7.5
Broken in: v0.7.6
Broken in: v0.7.7
Broken in: v0.8.0
Broken in: v0.8.1
Broken in: v0.8.2
Broken in: v0.8.3
Broken in: v0.8.4
Broken in: v0.8.5
Broken in: v0.8.6
Broken in: v0.8.7
Broken in: v0.8.8
Broken in: v0.9.0
Broken in: v0.9.1
Broken in: v0.9.2
Broken in: v0.9.3
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Fixed in: v0.10.2
Broken by: a147ef38374f17c3d02b7db8e857ca33c5c346f9
Fixed by: b7ff9e696063189a715802d081d55a398663c15a
Branch v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Fixed in: v0.9.6.3
Broken by: a147ef38374f17c3d02b7db8e857ca33c5c346f9
Fixed by: c84053c2ab1c9a9b1d798285373a2572ee37aa92
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Fixed in: v0.9.11.6
Broken by: a147ef38374f17c3d02b7db8e857ca33c5c346f9
Fixed by: b2c5a911979eaccfb6895d58cbcc4e3a200d9d61
Branch v0.9.12-maint
Fixed in: v0.9.12.1
Broken by: a147ef38374f17c3d02b7db8e857ca33c5c346f9
Fixed by: addf5e1b3160cbc91cf0f56cd97d1a38a6fb91e8

Alternative formats: [xml] [text]