Libvirt Security Notice: LSN-2013-0001

Fix crash on error paths of message dispatching

Lifecycle

Reported on: 20130104
Published on: 20130128
Fixed on: 20130128

Credits

Reported by: Peter Krempa
Patched by: Peter Krempa

See also

Description

When reading and dispatching of a message failed the message was freed but was not removed from the message queue. When the connection was later closed this would result in an attempt to free uninitialized memory

Impact

A malicious user could send an RPC message which intentionally results in an error and thus cause libvirtd to crash

Workaround

Remove access to libvirtd from untrusted user accounts

Affected product: libvirt

Branch master
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Broken in: v1.0.1
Fixed in: v1.0.2
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463
Fixed by: 46532e3e8ed5f5a736a02f67d6c805492f9ca720
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Broken in: v0.9.11.8
Fixed in: v0.9.11.9
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463
Fixed by: d0e1501518e0390c0b3326e2c5bd1fb7e1566414
Branch v0.9.12-maint
Fixed in: v0.9.12.1
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463
Fixed by: ba92d4a9ca6dba7b59cef01d02da24955d1334cd
Branch v0.10.2-maint
Broken in: v0.10.2.1
Broken in: v0.10.2.2
Fixed in: v0.10.2.3
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463
Fixed by: f104a2a6b36aa6f4842c0a64354055657c0df8e2
Branch v1.0.0-maint
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463
Branch v1.0.1-maint
Broken by: b2c62316477989f8d728af49bdac8248ab5f5463

Alternative formats: [xml] [text]