Bugzilla – Bug 1213447
VUL-0: CVE-2023-3750: libvirt: improper locking in virStoragePoolObjListSearch may lead to denial of service
Last modified: 2023-09-11 17:00:24 UTC
CVE-2023-3750 virtqemud may get SIGABRT when run the pool-list & vol-info cmds for a rbd pool. An unprivileged user with RO connection can cause the daemon to crash. Upstream patch: https://listman.redhat.com/archives/libvir-list/2023-July/240776.html References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3750 https://bugzilla.redhat.com/show_bug.cgi?id=2222210
This bug affects libvirt 8.3.0 and newer, so SLE15 SP5 and Factory/TW. I'll add the patch to those libvirt packages once it's committed upstream.
I've backported the patch to the Factory and SLE15 SP5 libvirt packages. Submissions have been sent. Passing the bug to security...
This is an autogenerated message for OBS integration: This bug (1213447) was mentioned in https://build.opensuse.org/request/show/1099805 Factory / libvirt
SUSE-SU-2023:3043-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1213352, 1213447 CVE References: CVE-2023-3750 Sources used: openSUSE Leap 15.5 (src): libvirt-9.0.0-150500.6.11.1 Basesystem Module 15-SP5 (src): libvirt-9.0.0-150500.6.11.1 Server Applications Module 15-SP5 (src): libvirt-9.0.0-150500.6.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.