Debian Bug report logs -
#734556
libvirt: CVE-2013-6458: qemu: job usage issue in several APIs leading to libvirtd crash
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 8 Jan 2014 06:18:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions 0.8.3-5, 1.2.0-2, 0.9.12-11
Fixed in versions libvirt/1.2.1~rc1-1, libvirt/0.9.12.3-1
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#734556
; Package libvirt
.
(Wed, 08 Jan 2014 06:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 06:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvirt
Severity: grave
Tags: security upstream patch fixed-upstream
Hi Guido,
Disclaimer: I have not checked to reproduce the crash, just shortly
checked latest unstable version. Have set grave as per "[...] could
allow an attacker who is able to establish a read-only connection to
libvirtd to crash libvirtd".
the following vulnerability was published for libvirt.
CVE-2013-6458[0]:
job usage issue in several APIs leading to libvirtd crash
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6458
http://security-tracker.debian.org/tracker/CVE-2013-6458
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1048631
[2] http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad
(upstream fix)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#734556
; Package libvirt
.
(Thu, 09 Jan 2014 08:18:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Thu, 09 Jan 2014 08:18:10 GMT) (full text, mbox, link).
Message #10 received at 734556@bugs.debian.org (full text, mbox, reply):
On Wed, Jan 08, 2014 at 07:16:18AM +0100, Salvatore Bonaccorso wrote:
> Package: libvirt
> Severity: grave
> Tags: security upstream patch fixed-upstream
>
> Hi Guido,
>
> Disclaimer: I have not checked to reproduce the crash, just shortly
> checked latest unstable version. Have set grave as per "[...] could
> allow an attacker who is able to establish a read-only connection to
> libvirtd to crash libvirtd".
I do think it affects all releases.
Cheers,
-- Guido
>
> the following vulnerability was published for libvirt.
>
> CVE-2013-6458[0]:
> job usage issue in several APIs leading to libvirtd crash
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6458
> http://security-tracker.debian.org/tracker/CVE-2013-6458
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1048631
> [2] http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad
> (upstream fix)
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
>
Reply sent
to Guido Günther <agx@sigxcpu.org>
:
You have taken responsibility.
(Thu, 09 Jan 2014 09:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 09 Jan 2014 09:21:14 GMT) (full text, mbox, link).
Message #15 received at 734556-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 1.2.1~rc1-1
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734556@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Jan 2014 08:23:57 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev libvirt-sanlock
Architecture: source i386 all
Version: 1.2.1~rc1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - library for interfacing with different virtualization systems
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
Closes: 734556
Changes:
libvirt (1.2.1~rc1-1) experimental; urgency=medium
.
[ Laurent Bigonville ]
* [f6b0feb] Pass --with-selinux-mount=/sys/fs/selinux to ./configure.
The buildd are not running selinux and this make the auto-detection code
defaults to /selinux which is actually not existing anymore in sid.
This complete the fix for SELinux support.
.
[ Guido Günther ]
* Upload to experimental
* [20d9129] Enable parallel build support.
Thanks to Felix Geyer for pointing this out
* [0d0590e] New upstream version 1.2.1~rc1. Fixes CVE-2013-6458
(Closes: #734556)
* [a3f978b] Bump symbol versions
* [0a6a276] Rediff patches.
Dropped (fixed upstream):
security-fix-crash-in-lxcDomainGetMemoryParameters.patch
security-fix-crash-in-lxcDomainSetMemoryParameters.patch
* [3061b11] Build with apparmor support.
Note that this isn't enough to run with apparmor support since the
profiles will need more work but it makes testing this a lot simpler.
This is heavily based on a patch by Felix Geyer.
See: #725144
Checksums-Sha1:
25c3c7a81cc2e006bfc6e1c7d903971830faca68 2614 libvirt_1.2.1~rc1-1.dsc
ff8c8769f20fb2d6c92bbf6769b5d7a4248e05bb 27094280 libvirt_1.2.1~rc1.orig.tar.gz
06f6f7ee7e1cdfa294d58ada0fc5b75650b072c3 44230 libvirt_1.2.1~rc1-1.debian.tar.gz
a5542ab0b7064967d278be488b95145537a35dc6 3556670 libvirt-bin_1.2.1~rc1-1_i386.deb
eb31792bc9a86bef698b6e1a4a2f47ebf39b49b4 2503934 libvirt0_1.2.1~rc1-1_i386.deb
cdc2ff56d8ae1a597f170af7687d3a5928b60aca 7745244 libvirt0-dbg_1.2.1~rc1-1_i386.deb
51009fe17eabe8dbdc5aa30a78073a060ab97fd3 2751810 libvirt-doc_1.2.1~rc1-1_all.deb
ecbdff790ca113146874c5cda1edc6f217181f60 1814106 libvirt-dev_1.2.1~rc1-1_i386.deb
ccc09b09b915225f0ee0da7659149d2cd03c0215 1747024 libvirt-sanlock_1.2.1~rc1-1_i386.deb
Checksums-Sha256:
d2a1cdbd70eddf1a9df57024d5fcefefecdbc305cce5a65b70e3ee9779370509 2614 libvirt_1.2.1~rc1-1.dsc
00bcd6f9874b78872224658bd4a795bf2cca3d57149779ff9111e00f246858ca 27094280 libvirt_1.2.1~rc1.orig.tar.gz
21f670df0564570d07cd93df8c89af8a4d6c6adbb9dc5aa6af2bcb085a3b5708 44230 libvirt_1.2.1~rc1-1.debian.tar.gz
5cf3ff7e1fe1c502c0f1c455851fd9bd9ef14ad34d7eb04b8e5d73bf8d60d5f0 3556670 libvirt-bin_1.2.1~rc1-1_i386.deb
2bd9a076198694c7bdfa82208c0ea9fc04beb94efc32a88e097bf7a08edf0ef5 2503934 libvirt0_1.2.1~rc1-1_i386.deb
4930b4ec1e20176d133166b42af3de09304e87a724b075d6fea26c7a2d7166bc 7745244 libvirt0-dbg_1.2.1~rc1-1_i386.deb
3a31bba607f3743a5fd9bf97a000df63a47187775482d68a753b813fe14df7a8 2751810 libvirt-doc_1.2.1~rc1-1_all.deb
c44e688ef120106b3d77044acd34c69d9368984c65a55168e92a717d7bcb1ab2 1814106 libvirt-dev_1.2.1~rc1-1_i386.deb
ca093552141819f11b1751c1d420fa2441c5af8805c3c2554005be357ce6ae8f 1747024 libvirt-sanlock_1.2.1~rc1-1_i386.deb
Files:
aca75acb7a6124ee4faaf3aa5cb0f62b 2614 libs optional libvirt_1.2.1~rc1-1.dsc
c3a03a9594cd42ab39de3317d3f359e6 27094280 libs optional libvirt_1.2.1~rc1.orig.tar.gz
0759c83a976d8b863de7d6973ec49d33 44230 libs optional libvirt_1.2.1~rc1-1.debian.tar.gz
1c117ff1171e6536655449eadf02d712 3556670 admin optional libvirt-bin_1.2.1~rc1-1_i386.deb
4538ad204f30fb3f297f26d729f8d6cb 2503934 libs optional libvirt0_1.2.1~rc1-1_i386.deb
dd20b156ce43dd25b4603c1edf7ac37b 7745244 debug extra libvirt0-dbg_1.2.1~rc1-1_i386.deb
c85020541b7d83349a37a4979e6870ed 2751810 doc optional libvirt-doc_1.2.1~rc1-1_all.deb
fa378a2b25e2ee9c27d2c1ae3a9c4da2 1814106 libdevel optional libvirt-dev_1.2.1~rc1-1_i386.deb
eaf2edcafc08c3b1079a0e1fcbcc6604 1747024 libs extra libvirt-sanlock_1.2.1~rc1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iD8DBQFSzl4On88szT8+ZCYRAvwfAJ4md40WN9/HOO9uEXG9z1MuBjGm3ACfSvZJ
oPgvZAj+I2ly6GD3cCXc4uw=
=87fR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
:
Bug#734556
; Package libvirt
.
(Fri, 10 Jan 2014 02:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Jan 2014 02:09:04 GMT) (full text, mbox, link).
Message #20 received at 734556@bugs.debian.org (full text, mbox, reply):
Hi Guido,
On Thu, Jan 09, 2014 at 08:54:21AM +0100, Guido Günther wrote:
> On Wed, Jan 08, 2014 at 07:16:18AM +0100, Salvatore Bonaccorso wrote:
> > Package: libvirt
> > Severity: grave
> > Tags: security upstream patch fixed-upstream
> >
> > Hi Guido,
> >
> > Disclaimer: I have not checked to reproduce the crash, just shortly
> > checked latest unstable version. Have set grave as per "[...] could
> > allow an attacker who is able to establish a read-only connection to
> > libvirtd to crash libvirtd".
>
> I do think it affects all releases.
Thanks for checking already (and the fix to experimental). Adding the
found information for the BTS.
Regards,
Salvatore
Marked as found in versions 0.8.3-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Jan 2014 02:09:08 GMT) (full text, mbox, link).
Marked as found in versions 0.9.12-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Jan 2014 02:09:08 GMT) (full text, mbox, link).
Marked as found in versions 1.2.0-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Jan 2014 02:09:09 GMT) (full text, mbox, link).
Reply sent
to Guido Günther <agx@sigxcpu.org>
:
You have taken responsibility.
(Tue, 21 Jan 2014 21:21:31 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 21 Jan 2014 21:21:31 GMT) (full text, mbox, link).
Message #31 received at 734556-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 0.9.12.3-1
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734556@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 16 Jan 2014 11:05:59 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12.3-1
Distribution: stable-security
Urgency: medium
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libvirt-bin - programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 729331 734556
Changes:
libvirt (0.9.12.3-1) stable-security; urgency=medium
.
* [0a01d0a] New upstream version 0.9.12.3
Fixes CVE-2013-6458 and CVE-2014-1447
(Closes: #734556)
* [43817d5] Don't fail chmod/chdir if a file doesn't exist.
* [753faf6] Check correct dirs for existence (Closes: #729331)
* [3ed9278] Update symbols
.
libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low
.
* [77a7135] Adjust gbp.conf for Wheezy point releases
* [b457e3f] New upstream version 0.9.12.1
* [ae6e265] New upstream version 0.9.12.2
* [2d07b5c] Drop patches fixed upstream.
Include-stdint.h-for-uint32_t.patch
Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch
fix-leak-virStorageBackendLogicalMakeVol.patch
qemu-Add-support-for-no-user-config.patch
qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch
rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
security/CVE-2012-3445.patch
security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
security/security-Fix-libvirtd-crash-possibility.patch
upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
upstream/Fix-race-condition-when-destroying-guests.patch
Checksums-Sha1:
fe62aa19c8610e2eb6297479ecfea650423a9fa4 2290 libvirt_0.9.12.3-1.dsc
73e72812a3d3c1a096b515dc01803bdbff7c595a 19576862 libvirt_0.9.12.3.orig.tar.gz
f2fc688790c8ddc2a78ffda44a19b2184360d48d 37957 libvirt_0.9.12.3-1.debian.tar.gz
53de06026213246da78804bf8e581f2cb314cd4c 2190468 libvirt-doc_0.9.12.3-1_all.deb
371e0c3b63aae1fd15ec7171f57a95312e74c160 2500248 libvirt-bin_0.9.12.3-1_i386.deb
7a4fc2bd552e88672394cb00326b4dbf6f2ad643 2135130 libvirt0_0.9.12.3-1_i386.deb
b21540107d1b2ee816f2c3695f5798ffa0ba61b2 7851842 libvirt0-dbg_0.9.12.3-1_i386.deb
42807187658e88a3cd9434cd76908417efe9e670 2514934 libvirt-dev_0.9.12.3-1_i386.deb
162fe6e4944e33baa72f088f3db306cfacc1f10b 1432330 python-libvirt_0.9.12.3-1_i386.deb
Checksums-Sha256:
98ef20adac7c3b2b0c1174a57c0b6aeb24a95ed4b1f2d4b4d61f09bb5eee598a 2290 libvirt_0.9.12.3-1.dsc
404afb7fdd23d8f36645cffc77fecfed40d60617f8bcae707ac3b9f7925fc0fb 19576862 libvirt_0.9.12.3.orig.tar.gz
6b6123ef81c63b0c443965784581fad9a315f76731fbef885b786abffa42643c 37957 libvirt_0.9.12.3-1.debian.tar.gz
82f1888ff877ce6c6843e1985ca3d854185186c926494adbd9fd8394d6c30ccf 2190468 libvirt-doc_0.9.12.3-1_all.deb
bfa06a08cb3a01e06186833985707b6c3d651eae29a394cba3e6b6a47b185233 2500248 libvirt-bin_0.9.12.3-1_i386.deb
62b4b81befa01db6fb042173f13087fafc75850c0d50acf1f2bb3ccd8fd1cc8b 2135130 libvirt0_0.9.12.3-1_i386.deb
dde1ec326bc050a3ea3a74f5ea5fda2530e43aecd0bf504d071892685c1fb8bb 7851842 libvirt0-dbg_0.9.12.3-1_i386.deb
3f9abeae8209af2a6df60a3050eabf24bc29257c8f9a9e19f9f916bdd61c6c82 2514934 libvirt-dev_0.9.12.3-1_i386.deb
99f6d25202997a77dad95312f8e54919c2250147036d14943dd146e49f819105 1432330 python-libvirt_0.9.12.3-1_i386.deb
Files:
f84d1e8622b2b1f3a04d2100fea044af 2290 libs optional libvirt_0.9.12.3-1.dsc
0f596bceec120df4cd5aecb8f0128d5d 19576862 libs optional libvirt_0.9.12.3.orig.tar.gz
fb20bdca06c39f20b062fd15a03e4490 37957 libs optional libvirt_0.9.12.3-1.debian.tar.gz
f1169e17159ae16860318710276a6b75 2190468 doc optional libvirt-doc_0.9.12.3-1_all.deb
bcf0058d65185c0fb39431f09ada8d8a 2500248 admin optional libvirt-bin_0.9.12.3-1_i386.deb
df5b3860600ca2d4972d86d8b3d9bdab 2135130 libs optional libvirt0_0.9.12.3-1_i386.deb
20e4fb90d342a6fd9a9b1337bae33fde 7851842 debug extra libvirt0-dbg_0.9.12.3-1_i386.deb
8525d062646d5782855c289086070250 2514934 libdevel optional libvirt-dev_0.9.12.3-1_i386.deb
25131a9f7e3f6b681c4d4f647e389465 1432330 python optional python-libvirt_0.9.12.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iD8DBQFS2Fbkn88szT8+ZCYRAmPUAJ9w4AQDJdRuauPAyyhGcHjCGwaWEACfRgMP
fz6S7i0qXXYr19S9A83Viks=
=KFx/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 20 Feb 2014 07:32:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.