Libvirt Security Notice: LSN-2013-0021 ====================================== Summary: libvirtd crash during seamless SPICE migration Reported on: 20130919 Published on: 20130919 Fixed on: 20130920 Reported by: Marian Krcmarik Patched by: Martin Kletzander See also: CVE-2013-7336 Description ----------- When migrating a guest with a live SPICE connection, the source libvirtd did not properly track that the migration job was still waiting for status from the handshakes involved in seamless migration. Impact ------ If another client was querying domain status at the same time as the ongoing seamless SPICE migration, the incorrect job status could lead to memory corruption and a crash of libvirtd on the source side of the migration. As queries can be performed by an unprivileged user, this can be used to inflict a denial of service attack on other users of the libvirtd daemon with higher privilege. Workaround ---------- The impact can be mitigated by blocking access to the read-only libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro' parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the 'read' permission should be removed from any untrusted users. This will not prevent the crash, but will stop unprivileged users from inflicting the denial of service on higher privileged users. Additionally, avoiding SPICE seamless migration is sufficient to avoid the problem. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Fixed in: v1.1.3 Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe Fixed by: 484cc3217b73b865f00bf42a9c12187b37200699 Branch: v1.1.0-maint Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe Fixed by: 476d0e38af11f3ff50d85e3f7aecad4cd8208c76 Branch: v1.1.1-maint Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe Fixed by: fea2550974137918c2bc9e01f3eb00421585450c Branch: v1.1.2-maint Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe Fixed by: b6ea7abcf72d7d0aaf90e17aa8e8e88db8f778ea