Libvirt Security Notice: LSN-2014-0008
deadlock or segfault in virConnectGetAllDomainStats
Lifecycle
Reported on: |
20141127 |
Published on: |
20141205 |
Fixed on: |
20141211 |
Credits
See also
Description
When using fine-grained ACLs to restrict users from accessing
all domains, a logic bug in the qemu implementation of
virConnectGetAllDomainStats could result in incorrect lock management
of the next domain inspected after a domain that was skipped due to
ACL restrictions.
Impact
A restricted client can trigger a denial of service against a
more privileged user when libvirtd goes into deadlock when trying to
lock an incorrectly locked domain, or crashes when trying to unlock a
domain that was not locked.
Workaround
Stop use of the fine grained access control mechanism, or
stop trying to use access control to restrict the set of domains that
an authorized client can see.
Affected product: libvirt
Alternative formats:
[xml] [text]