Debian Bug report logs -
#856313
libvirt: CVE-2017-2635: Null pointer dereference when updating storage size on empty drives
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 27 Feb 2017 16:21:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libvirt/3.0.0-2
Fixed in version libvirt/3.0.0-3
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#856313; Package src:libvirt.
(Mon, 27 Feb 2017 16:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Mon, 27 Feb 2017 16:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Version: 3.0.0-2
Severity: grave
Tags: upstream patch security
Justification: user security hole
Hi Guido,
the following vulnerability was published for libvirt.
CVE-2017-2635[0]:
Null pointer dereference when updating storage size on empty drives
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2635
Regards,
Salvatore
p.s.: if you are short on time, I can happily prepare a NMU for this
one.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#856313; Package src:libvirt.
(Mon, 27 Feb 2017 20:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Mon, 27 Feb 2017 20:27:08 GMT) (full text, mbox, link).
Message #10 received at 856313@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 27, 2017 at 05:17:05PM +0100, Salvatore Bonaccorso wrote:
> Source: libvirt
> Version: 3.0.0-2
> Severity: grave
> Tags: upstream patch security
> Justification: user security hole
>
> Hi Guido,
>
> the following vulnerability was published for libvirt.
>
> CVE-2017-2635[0]:
> Null pointer dereference when updating storage size on empty drives
I just uploaded a fixed version to untable. Thanks for sorting out the
correct version information!
-- Guido
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-2635
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2635
>
> Regards,
> Salvatore
>
> p.s.: if you are short on time, I can happily prepare a NMU for this
> one.
>
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
>
Reply sent
to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility.
(Mon, 27 Feb 2017 21:09:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 27 Feb 2017 21:09:10 GMT) (full text, mbox, link).
Message #15 received at 856313-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 3.0.0-3
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856313@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Feb 2017 20:07:41 +0100
Source: libvirt
Binary: libvirt-clients libvirt-daemon libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt
Architecture: source
Version: 3.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Closes: 856313
Description:
libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines
libvirt0 - library for interfacing with different virtualization systems
libvirt-clients - Programs for the libvirt library
libvirt-daemon-system - Libvirt daemon configuration files
libvirt-daemon - Virtualization daemon
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - Sanlock plugin for virtlockd
Changes:
libvirt (3.0.0-3) unstable; urgency=medium
.
* [62ad289] Debianize virtlogd
* [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives
(Closes: #856313)
Checksums-Sha1:
db9f7bf8c684d78d11e48fa8bc63ee4b2f29f8e6 3926 libvirt_3.0.0-3.dsc
9fc2926bbb50f58bac8b59c9bd4b2b99379ec67f 62884 libvirt_3.0.0-3.debian.tar.xz
Checksums-Sha256:
ba56aa32baed5c975fea8e107f8648be654f147cdfe23628d0016f3f150c74fc 3926 libvirt_3.0.0-3.dsc
4428e37498eba4a6ea26698fdb7590f2ad00aaec69ea83817f234f09dc16d5c3 62884 libvirt_3.0.0-3.debian.tar.xz
Files:
563f9e19ad4dad8d8f8b07db8697ada8 3926 libs optional libvirt_3.0.0-3.dsc
dcc6c87a7db1445b26057a3c5380fcfb 62884 libs optional libvirt_3.0.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEvHzQcjh4660F3xzZB7i3sOqYEgsFAli0hGcACgkQB7i3sOqY
Egvr0A//Xu9ME1mshfgsEji/4uZAXF7mc+3DtcdDGvFzVYSaxdckDykIlw5wG9Up
frU5Nis505SxvI4RQ0b9C3JHdOHOBBkgM3bzkZDBw1uJazCAJRuWZBUwy8QERDJi
8iYOPQ7uFVpofDEzRa5+1vIDiTkpZA+HCZTqE999e+6GHUtLrqfZf5PCCrCpfYVE
dfUqaVvoDq55oUUmX9b4XSHJv3psnj0ynT3nMyo7u3wNLRf9eS74fDvRoZRzUYqF
oedUjPESQgZvpJpfL4grBP8HsXFA6vfb1ozTh4U/XL1P9Nh7MfLsNRU1/C9uUP9/
/gMf//5/RrhU+JnfagMxGS1SkqJt4TRWkuHYBp3F8v1QcyaGUz/aXIY1tegmpXbN
DP/SeTR9hm1UBtXgyrHMQ+NxVM1lJU/5LXiekfsGksaQ5rO4M/WT6NSYLK0IDgPt
XehNMgI6zjE8Y+y65GXY6D9Iw0jtS3YrhwhNtDEshjyNL2MhFGcX++7yWXw8s8P3
tz58UP1AHHIg7HixO3i+BIrdx448Jws0dmsDW6ncs8Ox8AzZ2DBUsD/OSSl+ymA9
ilUiyixYnDSTkTYB6QQZh4cgV6YxwkbOxyjburJsDfUgaQVhEI95LtejqnK2XK2g
QdygwIYUEQq0MDmR5s0Xw7U3TxZBVuHYyKg7zQwzb8UyQgJQYBA=
=/+LK
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#856313; Package src:libvirt.
(Tue, 28 Feb 2017 05:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Tue, 28 Feb 2017 05:24:02 GMT) (full text, mbox, link).
Message #20 received at 856313@bugs.debian.org (full text, mbox, reply):
Hi Guido,
On Mon, Feb 27, 2017 at 09:00:33PM +0100, Guido Günther wrote:
> On Mon, Feb 27, 2017 at 05:17:05PM +0100, Salvatore Bonaccorso wrote:
> > Source: libvirt
> > Version: 3.0.0-2
> > Severity: grave
> > Tags: upstream patch security
> > Justification: user security hole
> >
> > Hi Guido,
> >
> > the following vulnerability was published for libvirt.
> >
> > CVE-2017-2635[0]:
> > Null pointer dereference when updating storage size on empty drives
>
> I just uploaded a fixed version to untable. Thanks for sorting out the
> correct version information!
Thanks for the very quick action! Will you request as well the unblock
to have the fix in stretch? I see there is one additional commit, hope
that is suitable as well for stretch (aka. Debianize virtlogd).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#856313; Package src:libvirt.
(Tue, 28 Feb 2017 07:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Tue, 28 Feb 2017 07:45:06 GMT) (full text, mbox, link).
Message #25 received at 856313@bugs.debian.org (full text, mbox, reply):
On Tue, Feb 28, 2017 at 06:21:08AM +0100, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Mon, Feb 27, 2017 at 09:00:33PM +0100, Guido Günther wrote:
> > On Mon, Feb 27, 2017 at 05:17:05PM +0100, Salvatore Bonaccorso wrote:
> > > Source: libvirt
> > > Version: 3.0.0-2
> > > Severity: grave
> > > Tags: upstream patch security
> > > Justification: user security hole
> > >
> > > Hi Guido,
> > >
> > > the following vulnerability was published for libvirt.
> > >
> > > CVE-2017-2635[0]:
> > > Null pointer dereference when updating storage size on empty drives
> >
> > I just uploaded a fixed version to untable. Thanks for sorting out the
> > correct version information!
>
> Thanks for the very quick action! Will you request as well the unblock
> to have the fix in stretch? I see there is one additional commit, hope
Sure, just wanted to make sure the buildds are happy with it.
> that is suitable as well for stretch (aka. Debianize virtlogd).
It hopefully is, otherwise we'd fetch the config from the wrong
location.
Cheers,
-- Guido
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 29 Mar 2017 07:26:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:51:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon