Debian Bug report logs -
#719533
libvirt: CVE-2013-4239: memory corruption in xenDaemonListDefinedDomains function
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 12 Aug 2013 20:51:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version 1.1.1-1
Fixed in version libvirt/1.1.2~rc1-1
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#719533; Package libvirt.
(Mon, 12 Aug 2013 20:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Mon, 12 Aug 2013 20:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvirt
Version: 1.1.1-1
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for libvirt.
(marking this as rc, to not have it enter testing, even there are
already rc bugs blocking the migration).
CVE-2013-4239[0]:
memory corruption in xenDaemonListDefinedDomains function
This was introduced only in 1.1.1-1 in commit [1] and there is a fix
for it in [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4239
http://security-tracker.debian.org/tracker/CVE-2013-4239
[1] http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=632180d1
[2] http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=0e671a16
Regards,
Salvatore
Reply sent
to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility.
(Thu, 29 Aug 2013 19:09:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 29 Aug 2013 19:09:06 GMT) (full text, mbox, link).
Message #10 received at 719533-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 1.1.2~rc1-1
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 719533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Aug 2013 20:22:10 +0200
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt libvirt-sanlock
Architecture: source i386 all
Version: 1.1.2~rc1-1
Distribution: experimental
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - library for interfacing with different virtualization systems
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 719533 721172
Changes:
libvirt (1.1.2~rc1-1) experimental; urgency=low
.
* [a3b140a] New upstream version 1.1.2~rc1 (Closes: #719533)
* [6c162e3] Update patches:
Drop virGetGroupList-always-include-the-primary-group.patch applied
upstream.
* [e6c12ec] Update symbols
* [a3548ee] Drop versioned libaudit-dev dependency (Closes: #721172)
* [1562bb3] Fix "make check" not finding finding the libvirtd lense
Checksums-Sha1:
6fc6a4681a36429b480472aee15c9d714587d41c 2526 libvirt_1.1.2~rc1-1.dsc
0f68d5e314bef1be7ef54568b73a615e4f3e2d65 25611434 libvirt_1.1.2~rc1.orig.tar.gz
3a7e001216ccf95f89b49bae630797c114d9b391 41094 libvirt_1.1.2~rc1-1.debian.tar.gz
efe01f362293aaf61936ba7f76511135ba648989 3165538 libvirt-bin_1.1.2~rc1-1_i386.deb
24cbff565c220f21e0b1bd5248c3a348820fb12a 2295496 libvirt0_1.1.2~rc1-1_i386.deb
e95304b99accb2c637973cbcb3ef97580035ac9b 6801246 libvirt0-dbg_1.1.2~rc1-1_i386.deb
abbfd37e1c978d3ce935dbd63211c3f2fcfc6712 2564828 libvirt-doc_1.1.2~rc1-1_all.deb
bac173b2f75bda957403a92ffec4e773268681be 1586660 libvirt-dev_1.1.2~rc1-1_i386.deb
fecb8fb522fcc5352c35cb4fad93ed927dd73997 1673794 python-libvirt_1.1.2~rc1-1_i386.deb
56de2121e2b87dc1f09d1f71b5f27c0570c3d3a8 1583864 libvirt-sanlock_1.1.2~rc1-1_i386.deb
Checksums-Sha256:
b75863ce05ad94c4cba71e294e5b776a68f8327982f947976fffff12dfcff9a3 2526 libvirt_1.1.2~rc1-1.dsc
073ad30c56cad693977cff823c63af8ab32aaccd7bafbc8b0973395ab6d2c680 25611434 libvirt_1.1.2~rc1.orig.tar.gz
7713e8b1449a113db625cee842437e5ee2eee3bc20e98be6061d07dbe22e47d2 41094 libvirt_1.1.2~rc1-1.debian.tar.gz
099df4b64cc528cb90b4f7d260683516fa0baa9cce17ace39d6d2e9c601557d0 3165538 libvirt-bin_1.1.2~rc1-1_i386.deb
99ea43a682638dee87dbf727aa5795b38a4772ed8795a447b3cf6bc62a070df5 2295496 libvirt0_1.1.2~rc1-1_i386.deb
706935974afb9ab654173132e02dfc151f656569122e0780cb4d98a27d56a0cb 6801246 libvirt0-dbg_1.1.2~rc1-1_i386.deb
81f98e5e15f32df59ad8accde2376676d8f38c95656d171c033b0f879af62cb6 2564828 libvirt-doc_1.1.2~rc1-1_all.deb
91c52de45a65249ccd13b6b88bdd53fa53af46a6af600a88f9d77d0b74d5a69f 1586660 libvirt-dev_1.1.2~rc1-1_i386.deb
d72b0b587c62c2f6986fd68eb698460f8aa60044c5a1504a85ac3ef095748ec5 1673794 python-libvirt_1.1.2~rc1-1_i386.deb
5013d708cc10661c6a44615997e94e3caecfec8dc1646e6f5323cfa1377e5a13 1583864 libvirt-sanlock_1.1.2~rc1-1_i386.deb
Files:
c8cd0863e70b25f37dce49993a9daeb8 2526 libs optional libvirt_1.1.2~rc1-1.dsc
6e467978ce0b2666e6b54c2d162ba7f5 25611434 libs optional libvirt_1.1.2~rc1.orig.tar.gz
c0c143fa48b6dc97d8f0d02f420fbfff 41094 libs optional libvirt_1.1.2~rc1-1.debian.tar.gz
65bcba0f8dbe204eecf0976fc1108286 3165538 admin optional libvirt-bin_1.1.2~rc1-1_i386.deb
8c394a4f64c40283ea68d608ee710e38 2295496 libs optional libvirt0_1.1.2~rc1-1_i386.deb
0d30c086d9a86702bd88b7036d967a96 6801246 debug extra libvirt0-dbg_1.1.2~rc1-1_i386.deb
06585fb1ce165a1b9c6027da3d1d78b1 2564828 doc optional libvirt-doc_1.1.2~rc1-1_all.deb
f2ad8a6c50ce89e00fb5a17a728ca798 1586660 libdevel optional libvirt-dev_1.1.2~rc1-1_i386.deb
658f397badf4bb813c1abd8c5044bf65 1673794 python optional python-libvirt_1.1.2~rc1-1_i386.deb
a0b4362ce8e0f3009bddc41307fa5172 1583864 libs extra libvirt-sanlock_1.1.2~rc1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSH5cAn88szT8+ZCYRAppzAJkBSCnqcxUt8Qg9LWDYGHgmB9ZXpACcCqW7
NJm6x/toZ7YnLn/tbZMnWas=
=LLGe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Sep 2013 07:29:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon