libvirt [CVE-2013-0170]: libvirt Use-After-Free May Let Remote Users Execute Arbitrary Code

Debian Bug report logs - #699224
libvirt [CVE-2013-0170]: libvirt Use-After-Free May Let Remote Users Execute Arbitrary Code

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: libvirt [CVE-2013-0170]: libvirt Use-After-Free May Let Remote Users Execute Arbitrary Code

Date: Tue, 29 Jan 2013 10:52:16 +0100

Package: libvirt
Severity: grave
Tags: security patch
Justification: user security hole

Hi,
please see :
https://bugzilla.redhat.com/show_bug.cgi?id=893450
http://libvirt.org/git/?p=libvirt.git;a=commit;h=46532e3e8ed5f5a736a02f67d6c805492f9ca720

The Debian package in unstable looks affected. Can you check if the stable 
version is affected too?

Cheers,
luciano

Message #10 received at 699224@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Luciano Bello <luciano@debian.org>, 699224@bugs.debian.org

Subject: Re: [Pkg-libvirt-maintainers] Bug#699224: libvirt [CVE-2013-0170]: libvirt Use-After-Free May Let Remote Users Execute Arbitrary Code

Date: Tue, 29 Jan 2013 21:35:35 +0100

On Tue, Jan 29, 2013 at 10:52:16AM +0100, Luciano Bello wrote:
> Package: libvirt
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> Hi,
> please see :
> https://bugzilla.redhat.com/show_bug.cgi?id=893450
> http://libvirt.org/git/?p=libvirt.git;a=commit;h=46532e3e8ed5f5a736a02f67d6c805492f9ca720
> 
> The Debian package in unstable looks affected. Can you check if the stable 
> version is affected too?

It seems stable isn't affected but I'm dobule checking with upstream.
Unstable/wheezy is affected.
Cheers,
 -- Guido

> 
> Cheers,
> luciano
> 
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
> 

Message #15 received at 699224-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 699224-close@bugs.debian.org

Subject: Bug#699224: fixed in libvirt 0.9.12-6

Date: Tue, 29 Jan 2013 21:03:06 +0000

Source: libvirt
Source-Version: 0.9.12-6

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Jan 2013 21:02:05 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12-6
Distribution: unstable
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 697852 699128 699224 699281
Changes: 
 libvirt (0.9.12-6) unstable; urgency=low
 .
   * [78a3a68] Revert "rpc: Discard non-blocking calls only when necessary"
     Thanks to Jiri Denemark for the patch and Philipp Hahn for debugging
   * [5b4dc1a] qemu: Fix off-by-one error while unescaping monitor strings.
     Thanks to Peter Krempa for the patch and Philipp Hahn for debugging this
     (Closes: #699281)
   * [372f53d] rpc: Fix crash on error paths of message dispatching.
     This fixes CVE-2013-0170
     Thanks to Peter Krempa (Closes: #699224)
   * [2a2a60e] Make python-libvirt depend on the exact same libvirt0 version
     (Closes: #697852, #699128)
Checksums-Sha1: 
 e63fd3366c1ff7b9f3a40efafe4415f1e663aee5 2276 libvirt_0.9.12-6.dsc
 9c2a7ebb0443e0f9f2a28f04627650e39eacf762 39403 libvirt_0.9.12-6.debian.tar.gz
 09f8d021b8f7ac6ce800899f81a24a23a6a5fc8b 2174106 libvirt-doc_0.9.12-6_all.deb
 463fc4186e3f3588768e001d284a30a1ac900771 2333552 libvirt-bin_0.9.12-6_i386.deb
 227455ddf4c4c3d5ceacf7eb28f8750bd5e53ccf 2122184 libvirt0_0.9.12-6_i386.deb
 e8baee85b442b4684d2d9b6bc63f64d692ccf1e7 7471272 libvirt0-dbg_0.9.12-6_i386.deb
 025018d355dc745eba3ea262efb5580a4cdf6f77 2503610 libvirt-dev_0.9.12-6_i386.deb
 074f4d10074ad3c985676d6e30398f0eea97f621 1420600 python-libvirt_0.9.12-6_i386.deb
Checksums-Sha256: 
 96b5f922c87ec9670ffd3c3e55208a16630ffb1f086e0eb16a2564a83431b002 2276 libvirt_0.9.12-6.dsc
 04be65c9cba6b35ade0aac3ff88c3a79e071e2f44882bf7fa943e5740db80885 39403 libvirt_0.9.12-6.debian.tar.gz
 954f2ba444d177e5164735d2beb083605eefa795a84f99645e494660bbc1403a 2174106 libvirt-doc_0.9.12-6_all.deb
 b9961c151811b7f83444e194be26cd8a0bd53774bda7200e6c6075e96b55f518 2333552 libvirt-bin_0.9.12-6_i386.deb
 d67dd2bb41ef1ccd606412b82c37823da13731e72b83fcd5acc502174441839a 2122184 libvirt0_0.9.12-6_i386.deb
 738e372662efa24d171b2e99657ea885794b7de19e05f0605dbbe6746bc1713d 7471272 libvirt0-dbg_0.9.12-6_i386.deb
 90323706feffa2c64b36003f435927d29e39a80fe0a9b0ad8c9918b4107ef5a6 2503610 libvirt-dev_0.9.12-6_i386.deb
 529a5b80951c1cb306d989b6b920bb437902f5398bed174362ece45e51885c59 1420600 python-libvirt_0.9.12-6_i386.deb
Files: 
 4a748f53080a86a2488309dc0bf9574f 2276 libs optional libvirt_0.9.12-6.dsc
 d3c30544e35e0fffccb69a51dda2d301 39403 libs optional libvirt_0.9.12-6.debian.tar.gz
 7526e0a5973d4cb38b90d383794272d8 2174106 doc optional libvirt-doc_0.9.12-6_all.deb
 61e72b967ab46f9e86551bff138de7d1 2333552 admin optional libvirt-bin_0.9.12-6_i386.deb
 18c1efd956ed901c41465ca8bf6764f8 2122184 libs optional libvirt0_0.9.12-6_i386.deb
 94d597663ae660358e1f7626500c6767 7471272 debug extra libvirt0-dbg_0.9.12-6_i386.deb
 e237b11fdd69e27654a2a0758415d80b 2503610 libdevel optional libvirt-dev_0.9.12-6_i386.deb
 6c5763c5cef5dd01d2d137f224591061 1420600 python optional python-libvirt_0.9.12-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRCDYSn88szT8+ZCYRAgp7AJ9fUj7z8sx5+IZdQE0snoR49CLvOACfZXe6
G7Gvr9gWyqjgvmLB72Ye698=
=RXZv
-----END PGP SIGNATURE-----

Message #20 received at 699224@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Eric Blake <eblake@redhat.com>

Cc: Peter Krempa <pkrempa@redhat.com>, libvir-list@redhat.com, 699224@bugs.debian.org

Subject: Re: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching

Date: Sun, 3 Feb 2013 18:18:57 +0100

Hi Eric,
On Tue, Jan 29, 2013 at 02:21:30PM -0700, Eric Blake wrote:
> On 01/29/2013 01:22 PM, Guido Günther wrote:
> > Hi,
> > On Mon, Jan 28, 2013 at 07:35:38PM +0100, Peter Krempa wrote:
> >> When reading and dispatching of a message failed the message was freed
> >> but wasn't removed from the message queue.
> >>
> >> After that when the connection was about to be closed the pointer for
> >> the message was still present in the queue and it was passed to
> >> virNetMessageFree which tried to call the callback function from an
> >> uninitialized pointer.
> > 
> > Debian stable is shipping 0.8.2. I checked and it seems this version
> > isn't affected siince we properly remove the message from the queue
> > before looking at it in daemon/libvirtd.c. I'd be great if somebody
> > could double check though!
> 
> 0.8.2 predates the RPC rewrite, and I concur with your assessment that
> back then, the code was _always_ clearing the queue:
> 
> v0.8.2:daemon/libvirtd.c:qemudDispatchClientRead():
> 
>         /* Grab the completed message */
>         struct qemud_client_message *msg =
> qemudClientMessageQueueServe(&client->rx);
>         struct qemud_client_filter *filter;
> 
>         /* Decode the header so we can use it for routing decisions */
>         if (remoteDecodeClientMessageHeader(msg) < 0) {
>             VIR_FREE(msg);
>             qemudDispatchClientFailure(client);
>         }
> 
> However, it does look like there might be a missing 'return' statement
> after that error is reported, especially given that the next error
> reporting a few lines later does an early return.

Thanks for double checking. It indeed looks like there's a return
missing (cc:'ing the Debian bugreport to make this information permanent
there too).
Cheers,
 -- Guido

> But the best way to determine if this version is actually vulnerable to
> the CVE would be trying the exploit, and seeing if libvirtd survives
> with proper error logging about an invalid client request; Peter may
> have more details on how best to attempt that (although it may be better
> to discuss those details off-list, even if the CVE is already public, so
> that others are less likely to maliciously use the exploit).


> 
> -- 
> Eric Blake   eblake redhat com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
> 

Message #23 received at 699224-submitter@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 699224-submitter@bugs.debian.org

Subject: Re: Bug#699224: [libvirt] [PATCH] rpc: Fix crash on error paths of message dispatching

Date: Fri, 22 Feb 2013 20:54:39 +0100

[Message part 1 (text/plain, inline)]

Hi,
On Sun, Feb 03, 2013 at 06:18:57PM +0100, Guido Günther wrote:
> Hi Eric,
> On Tue, Jan 29, 2013 at 02:21:30PM -0700, Eric Blake wrote:
> > On 01/29/2013 01:22 PM, Guido Günther wrote:
> > > Hi,
> > > On Mon, Jan 28, 2013 at 07:35:38PM +0100, Peter Krempa wrote:
> > >> When reading and dispatching of a message failed the message was freed
> > >> but wasn't removed from the message queue.
> > >>
> > >> After that when the connection was about to be closed the pointer for
> > >> the message was still present in the queue and it was passed to
> > >> virNetMessageFree which tried to call the callback function from an
> > >> uninitialized pointer.
> > > 
> > > Debian stable is shipping 0.8.2. I checked and it seems this version
> > > isn't affected siince we properly remove the message from the queue
> > > before looking at it in daemon/libvirtd.c. I'd be great if somebody
> > > could double check though!
> > 
> > 0.8.2 predates the RPC rewrite, and I concur with your assessment that
> > back then, the code was _always_ clearing the queue:
> > 
> > v0.8.2:daemon/libvirtd.c:qemudDispatchClientRead():
> > 
> >         /* Grab the completed message */
> >         struct qemud_client_message *msg =
> > qemudClientMessageQueueServe(&client->rx);
> >         struct qemud_client_filter *filter;
> > 
> >         /* Decode the header so we can use it for routing decisions */
> >         if (remoteDecodeClientMessageHeader(msg) < 0) {
> >             VIR_FREE(msg);
> >             qemudDispatchClientFailure(client);
> >         }
> > 
> > However, it does look like there might be a missing 'return' statement
> > after that error is reported, especially given that the next error
> > reporting a few lines later does an early return.
> 
> Thanks for double checking. It indeed looks like there's a return
> missing (cc:'ing the Debian bugreport to make this information permanent
> there too).
Sorry for the delay but attached patch would fix the issue in Squeeze.
I didn't reference the CVE since it's a kind of different problem but
could do so of course if needed.
Cheers,
 -- Guido

[debdiff (text/plain, attachment)]

Send a report that this bug log contains spam.