Bug 857492 (CVE-2013-6458)

Summary: VUL-0: CVE-2013-6458: libvirtd: qemu job usage issue in several API leading to libvirtd crash
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jdouglas, jfehlig, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:56202
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Swamp Workflow Management 2014-01-06 23:00:30 UTC
bugbot adjusting priority
Comment 2 James Fehlig 2014-01-27 19:10:58 UTC
This issue affects openSUSE12.3, 13.1, and Factory, plus SLES11 SP3 and SLES12.  For Factory and SLES12, the issue is fixed by updating to libvirt 1.2.1.  For openSUSE13.1, I've backported the patches and have them queued for a future maintenance update in


For openSUSE12.3 


For SLES11 SP3, the issue is fixed in latest stable release, which I've added to our SP3 libvirt package


This issue also affects SLES11 SP2, but I'd rather avoid fixing it there if possible.  Is a fix for SLES11 SP2 required?
Comment 3 Swamp Workflow Management 2014-01-28 08:27:05 UTC
The SWAMPID for this issue is 56039.
This issue was rated as moderate.
Please submit fixed packages until 2014-02-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 James Fehlig 2014-02-11 05:36:25 UTC
I've submitted an updated libvirt package for the affected products.

SLES11SP3: submitreq#32278
openSUSE12.3: maintenancerequest#221742
openSUSE13.1: maintenancerequest#221743

Handing bug over to security.

Security:  For SLES11 SP3 SWAMPID#56039, can we also include the updated libvirt perl binding submitted via SR#28929?  Thanks!
Comment 7 James Fehlig 2014-02-11 05:37:15 UTC
Forgot to add myself to the cc list...
Comment 9 Marcus Meissner 2014-02-19 16:57:10 UTC
SLE11 SP1 and SLE10 SP4 and older do not have the code, so are not affected.
Comment 10 Swamp Workflow Management 2014-02-21 17:05:17 UTC
openSUSE-SU-2014:0268-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 817407,857271,857492,858817,858824,859041,859051
CVE References: CVE-2013-6457,CVE-2013-6458,CVE-2014-0028,CVE-2014-1447
Sources used:
openSUSE 13.1 (src):    libvirt-1.1.2-2.18.3
Comment 11 Swamp Workflow Management 2014-02-21 17:06:23 UTC
openSUSE-SU-2014:0270-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 857492,858817
CVE References: CVE-2013-6458,CVE-2014-1447
Sources used:
openSUSE 12.3 (src):    libvirt-1.0.2-1.14.1
Comment 12 Swamp Workflow Management 2014-03-03 09:52:47 UTC
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 13 Swamp Workflow Management 2014-03-03 13:04:35 UTC
SUSE-SU-2014:0318-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 817407,857492,858817
CVE References: CVE-2013-6458,CVE-2014-1447
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libvirt-
SUSE Linux Enterprise Server 11 SP3 (src):    libvirt-
SUSE Linux Enterprise Desktop 11 SP3 (src):    libvirt-