Libvirt Security Notice: LSN-2013-0006

Crash of libvirtd without guest agent active

Lifecycle

Reported on: 20130716
Published on: 20130716
Fixed on: 20130716

Credits

Reported by: Alex Jia
Patched by: Alex Jia

See also

Description

If the qemu guest agent service is not present in a guest then the libvirtd daemon will crash on a NULL pointer when trying to run guest agent related commands.

Impact

A user with the permission to invoke APIs which talk to the guest agent will be able to crash the libvirtd daemon leading to a denial of service.

Workaround

Prevent untrusted users from executing APIs which talk to the guest agent by removing their ability to connect to libvirtd or deny the permission bits in the access control policy.

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken by: d47eff88fe50e43a36671f6d8d0eeda52835d5e0
Fixed by: 96518d4316b711c72205117f8d5c967d5127bbb6
Branch v1.1.0-maint
Broken by: d47eff88fe50e43a36671f6d8d0eeda52835d5e0
Fixed by: a0f8c42b936c44c7e328ce774a8952dcc2f6afc6

Alternative formats: [xml] [text]