Libvirt Security Notice: LSN-2013-0016

Out of bounds access in bitmap array

Lifecycle

Reported on: 20130816
Published on: 20130816
Fixed on: 20130816

Credits

Reported by: Peter Krempa
Patched by: Peter Krempa

See also

Description

When parsing bitmap strings the bounds of the array were not checked when determining if the bit was set. This in turn resulted in the parser later crashing

Impact

A malicious user can cause libvirtd to crash by feeding it data with malformed bitmap strings

Workaround

Prevent untrusted users from accessing the libvirtd daemon

Affected product: libvirt

Branch master
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Fixed in: v1.1.2
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: 47b9127e883677a0d60d767030a147450e919a25
Branch v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Broken in: v0.10.2.3
Broken in: v0.10.2.4
Broken in: v0.10.2.5
Broken in: v0.10.2.6
Broken in: v0.10.2.7
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: v0.10.2.8
Fixed by: ecad40d8b84864bee4495d1447902a6206a39a4d
Branch v1.0.4-maint
Broken in:
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: b68a721d45085115d9d1ffd5329aff1fdaf1845a
Branch v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Fixed in: v1.0.5.6
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: 1ffdaced5b041db919ebd3a346c2d1abb8abe074
Branch v1.0.6-maint
Broken in:
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: c56f17e5435858f30471eb3da3a19a3ccd9d5a3b
Branch v1.1.0-maint
Broken in:
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: 7d7e29bb939e3caabe8ddfef42bb44c0011436f3
Branch v1.1.1-maint
Broken in:
Broken by: 0fc89098a68f0f6962de8be4fc03ddd960ffbf08
Fixed by: 02340c7f67c381395aeede4586bd3b1ff3f5d291

Alternative formats: [xml] [text]