Debian Bug report logs -
#623222
CVE-2011-1486: Error handling not thread-safe
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 18 Apr 2011 13:48:01 UTC
Severity: important
Tags: security
Fixed in version libvirt/0.8.3-5+squeeze2
Done: Guido Günther <agx@sigxcpu.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#623222; Package libvirt.
(Mon, 18 Apr 2011 13:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Mon, 18 Apr 2011 13:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libvirt
Severity: important
Tags: security
Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=693391
and https://www.redhat.com/archives/libvir-list/2011-March/msg01087.html
This doesn't seem grave enough to warrant a DSA, it could either
be fixed through s-p-u or coupled with a possible future DSA
for libvirt.
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.1
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.32-ucs37-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#623222; Package libvirt.
(Sun, 24 Apr 2011 08:15:38 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Sun, 24 Apr 2011 08:15:39 GMT) (full text, mbox, link).
Message #10 received at 623222@bugs.debian.org (full text, mbox, reply):
notfound 623222 libvirt/0.9.0-1
thanks
Hi Moritz,
On Mon, Apr 18, 2011 at 03:45:06PM +0200, Moritz Muehlenhoff wrote:
> Package: libvirt
> Severity: important
> Tags: security
>
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=693391
> and https://www.redhat.com/archives/libvir-list/2011-March/msg01087.html
>
> This doesn't seem grave enough to warrant a DSA, it could either
> be fixed through s-p-u or coupled with a possible future DSA
> for libvirt.
Just for the record: upstream's fix is in 0.9.0 already. BTW Does tagging
the bugs as found/notfound update the affected versions at
https://bugzilla.redhat.com/show_bug.cgi?id=693391
automatically?
Cheers,
-- Guido
>
> Cheers,
> Moritz
>
> -- System Information:
> Debian Release: 5.0.1
> Architecture: amd64 (x86_64)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.32-ucs37-amd64
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>
>
>
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-libvirt-maintainers
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#623222; Package libvirt.
(Wed, 27 Apr 2011 19:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Wed, 27 Apr 2011 19:54:05 GMT) (full text, mbox, link).
Message #15 received at 623222@bugs.debian.org (full text, mbox, reply):
Hi Guido,
> Just for the record: upstream's fix is in 0.9.0 already.
Ok, I've updated the tracker.
> BTW Does tagging
> the bugs as found/notfound update the affected versions at
>
> https://bugzilla.redhat.com/show_bug.cgi?id=693391
We don't update the Red Hat bugzilla, no :-)
Did you mean http://security-tracker.debian.org/tracker/CVE-2011-1486 ?
If you want to update version-specific entries (like "Squeeze is not
affected, since the code isn't there yet") simply use
http://security-tracker.debian.org/tracker/data/report
Alternatively we can also give you write access to the Debian Security
Tracker as described here:
http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#623222; Package libvirt.
(Fri, 29 Apr 2011 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Fri, 29 Apr 2011 19:21:05 GMT) (full text, mbox, link).
Message #20 received at 623222@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
On Wed, Apr 27, 2011 at 09:51:55PM +0200, Moritz Muehlenhoff wrote:
> Hi Guido,
>
> > Just for the record: upstream's fix is in 0.9.0 already.
>
> Ok, I've updated the tracker.
>
> > BTW Does tagging
> > the bugs as found/notfound update the affected versions at
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=693391
>
> We don't update the Red Hat bugzilla, no :-)
I figure you don't. C'n'p screwup, sorry.
> Did you mean http://security-tracker.debian.org/tracker/CVE-2011-1486 ?
Exactly.
> If you want to update version-specific entries (like "Squeeze is not
> affected, since the code isn't there yet") simply use
> http://security-tracker.debian.org/tracker/data/report
Great thanks!
> Alternatively we can also give you write access to the Debian Security
> Tracker as described here:
> http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0
I'll have a look.
Cheers,
-- Guido
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>:
Bug#623222; Package libvirt.
(Tue, 12 Jul 2011 21:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>.
(Tue, 12 Jul 2011 21:27:11 GMT) (full text, mbox, link).
Message #25 received at 623222@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Apr 18, 2011 at 03:45:06PM +0200, Moritz Muehlenhoff wrote:
> Package: libvirt
> Severity: important
> Tags: security
>
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=693391
> and https://www.redhat.com/archives/libvir-list/2011-March/msg01087.html
>
> This doesn't seem grave enough to warrant a DSA, it could either
> be fixed through s-p-u or coupled with a possible future DSA
> for libvirt.
Attached is a fix for stable.
-- Guido
[0002-Make-error-reporting-in-libvirtd-thread-safe.patch (text/x-diff, attachment)]
Reply sent
to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility.
(Tue, 19 Jul 2011 20:03:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 19 Jul 2011 20:03:10 GMT) (full text, mbox, link).
Message #30 received at 623222-close@bugs.debian.org (full text, mbox, reply):
Source: libvirt
Source-Version: 0.8.3-5+squeeze2
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive:
libvirt-bin_0.8.3-5+squeeze2_i386.deb
to main/libv/libvirt/libvirt-bin_0.8.3-5+squeeze2_i386.deb
libvirt-dev_0.8.3-5+squeeze2_i386.deb
to main/libv/libvirt/libvirt-dev_0.8.3-5+squeeze2_i386.deb
libvirt-doc_0.8.3-5+squeeze2_all.deb
to main/libv/libvirt/libvirt-doc_0.8.3-5+squeeze2_all.deb
libvirt0-dbg_0.8.3-5+squeeze2_i386.deb
to main/libv/libvirt/libvirt0-dbg_0.8.3-5+squeeze2_i386.deb
libvirt0_0.8.3-5+squeeze2_i386.deb
to main/libv/libvirt/libvirt0_0.8.3-5+squeeze2_i386.deb
libvirt_0.8.3-5+squeeze2.debian.tar.gz
to main/libv/libvirt/libvirt_0.8.3-5+squeeze2.debian.tar.gz
libvirt_0.8.3-5+squeeze2.dsc
to main/libv/libvirt/libvirt_0.8.3-5+squeeze2.dsc
python-libvirt_0.8.3-5+squeeze2_i386.deb
to main/libv/libvirt/python-libvirt_0.8.3-5+squeeze2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 623222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 13 Jul 2011 20:32:22 +0200
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.8.3-5+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
libvirt-bin - the programs for the libvirt library
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt0 - library for interfacing with different virtualization systems
libvirt0-dbg - library for interfacing with different virtualization systems
python-libvirt - libvirt Python bindings
Closes: 623222 633630
Changes:
libvirt (0.8.3-5+squeeze2) stable-security; urgency=low
.
* [ac67c93] CVE-2011-1486: Make error reporting in libvirtd thread safe
(Closes: #623222)
* [eafb3d8] CVE-2011-2511: Fix integer overflow in VirDomainGetVcpus
(Closes: #633630)
Checksums-Sha1:
612aec4fb52c4a37ebe29da5ed764ca46441dd6b 1910 libvirt_0.8.3-5+squeeze2.dsc
5f66c739c7ccdb0570391d1068b0f4328e3c962c 36665 libvirt_0.8.3-5+squeeze2.debian.tar.gz
09c2f167f3328e6250d4c0eb66f6e44bc903d68d 1120066 libvirt-doc_0.8.3-5+squeeze2_all.deb
f63221e799ffdbf3ff3aa9f3b722d8bc428c08e1 1022934 libvirt-bin_0.8.3-5+squeeze2_i386.deb
1dca52c4eb8791c8f9708d543035a8bcc522b381 955230 libvirt0_0.8.3-5+squeeze2_i386.deb
63fd122e8a5f85b7be23c3a138988c43187cdb5b 3046518 libvirt0-dbg_0.8.3-5+squeeze2_i386.deb
859920380a64ae299e6be5fd4992050009efa259 1176804 libvirt-dev_0.8.3-5+squeeze2_i386.deb
b9fee74eb56130f0edfdaf1981bab756d4e4c315 440234 python-libvirt_0.8.3-5+squeeze2_i386.deb
Checksums-Sha256:
1dd3353f681f461715f070e9aeb76a123d96d5db3c8cd288345c910bb139f292 1910 libvirt_0.8.3-5+squeeze2.dsc
0017f45875038570c7c5dade0f6f65150c86649eeaad0643331ea433f3fadc38 36665 libvirt_0.8.3-5+squeeze2.debian.tar.gz
1f65fc9bb93af4505144f311a0607681a22d8cba5ef9121749889d162a947736 1120066 libvirt-doc_0.8.3-5+squeeze2_all.deb
9e4c43002eba19ec694e2cb35f684f63ce76083e4016e2881bc2140f44cf0976 1022934 libvirt-bin_0.8.3-5+squeeze2_i386.deb
67dd72a45528461a97f15015fa8472560d80b3c7a5cc1710ae22f86920a345d6 955230 libvirt0_0.8.3-5+squeeze2_i386.deb
4b596b3bf584e29818a528df9cab788beaec273247eea53f10101e6c34f1f6d6 3046518 libvirt0-dbg_0.8.3-5+squeeze2_i386.deb
cedfe972c987c659e73d5a25a0da1a412c333d7347bbaf0a82b281f04e12de4f 1176804 libvirt-dev_0.8.3-5+squeeze2_i386.deb
e6512eda17b4e7f418f707d6e2d9825992af3af9a1d09dde7e72840467bd91a2 440234 python-libvirt_0.8.3-5+squeeze2_i386.deb
Files:
6ed4c950f68e03ea10e2631a8c406b40 1910 libs optional libvirt_0.8.3-5+squeeze2.dsc
d3983d7de34e8a42692118db83b6bd79 36665 libs optional libvirt_0.8.3-5+squeeze2.debian.tar.gz
3f4ae27e7a6e605a5d7bf85118ef326d 1120066 doc optional libvirt-doc_0.8.3-5+squeeze2_all.deb
ea046ebf07198a6ff7b197c387e64092 1022934 admin optional libvirt-bin_0.8.3-5+squeeze2_i386.deb
134d3387a30d9acbc01bf0852bfff67a 955230 libs optional libvirt0_0.8.3-5+squeeze2_i386.deb
4872315a9e1dcb7b9ba2c2aedce0d8f8 3046518 debug extra libvirt0-dbg_0.8.3-5+squeeze2_i386.deb
5aafaca4b04abd96d61e1a56dcbe11c5 1176804 libdevel optional libvirt-dev_0.8.3-5+squeeze2_i386.deb
efca68131ea54e55cfbf22145cda09a6 440234 python optional python-libvirt_0.8.3-5+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOId+Un88szT8+ZCYRAsy0AJ9oZIY0Yr8hFTViF4QXWtHywOyDsACdFMLg
OgqSRdNhPjLqO9zNULMfOyA=
=SjLM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 01 Oct 2011 07:34:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon