Bug 838638 - (CVE-2013-4296) VUL-1: CVE-2013-4296: libvirt: Fix crash in remoteDispatchDomainMemoryStats
(CVE-2013-4296)
VUL-1: CVE-2013-4296: libvirt: Fix crash in remoteDispatchDomainMemoryStats
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:54640
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-05 11:10 UTC by Marcus Meissner
Modified: 2013-11-11 09:22 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-09-05 11:10:07 UTC
via libvirt security list, NOT YET PUBLIC

CRD 2013-09-17 proposed

From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: [Libvirt-Security] [PATCH] Fix crash in remoteDispatchDomainMemoryStats
Date: Tue,  3 Sep 2013 16:52:06 +0100

From: "Daniel P. Berrange" <berrange@redhat.com>

The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba8730e44b7dd07a21ab90499996c5dec080a
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 daemon/remote.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index 1408798..0f015a3 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
                                 remote_domain_memory_stats_ret *ret)
 {
     virDomainPtr dom = NULL;
-    struct _virDomainMemoryStat *stats;
+    struct _virDomainMemoryStat *stats = NULL;
     int nr_stats;
     size_t i;
     int rv = -1;
-- 
1.8.3.1
Comment 2 Marcus Meissner 2013-09-05 11:10:41 UTC
CVE-2013-4296
Comment 3 Alexander Bergmann 2013-09-05 12:15:31 UTC
SLE-10-SP4 	Not affected 	0.3.3
SLE-11-SP2 	Affected 	0.9.6 
SLE-11-SP3 	Affected 	1.0.5.4
Comment 4 Alexander Bergmann 2013-09-05 12:58:20 UTC
openSUSE:12.2  Affected  0.9.11.9
openSUSE:12.3  Affected  1.0.2
Comment 7 Swamp Workflow Management 2013-09-05 22:00:18 UTC
bugbot adjusting priority
Comment 8 Sebastian Krahmer 2013-09-10 14:59:26 UTC
It was agreed to pull the CRD forward to Sept 11th
to bundle it with CVE-2013-4311.
Comment 12 Swamp Workflow Management 2013-09-20 15:46:13 UTC
The SWAMPID for this issue is 54477.
This issue was rated as moderate.
Please submit fixed packages until 2013-10-04.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 13 James Fehlig 2013-10-02 21:26:31 UTC
Fixed packages already submitted to SLE11 SP2/3 as noted in #6.  I've now taken care of openSUSE as well

openSUSE12.2, SR#201960
openSUSE12.3, SR#201961
openSUSE13.1/Factory, SR#201962

I'm done here, reassigning to security team.
Comment 14 Bernhard Wiedemann 2013-10-02 22:00:50 UTC
This is an autogenerated message for OBS integration:
This bug (838638) was mentioned in
https://build.opensuse.org/request/show/201960 12.2 / libvirt
https://build.opensuse.org/request/show/201961 12.3 / libvirt
https://build.opensuse.org/request/show/201962 Factory / libvirt
Comment 15 Swamp Workflow Management 2013-10-15 15:04:42 UTC
openSUSE-SU-2013:1549-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 836931,838638
CVE References: CVE-2013-4296,CVE-2013-4311
Sources used:
openSUSE 12.2 (src):    libvirt-0.9.11.9-1.13.1
Comment 16 Swamp Workflow Management 2013-10-15 15:06:07 UTC
openSUSE-SU-2013:1550-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 810611,820888,836931,837999,838638
CVE References: CVE-2013-4296,CVE-2013-4311,CVE-2013-5651
Sources used:
openSUSE 12.3 (src):    libvirt-1.0.2-1.10.1
Comment 17 Marcus Meissner 2013-11-08 17:11:34 UTC
released
Comment 18 Swamp Workflow Management 2013-11-08 19:50:29 UTC
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-python
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
Comment 19 Swamp Workflow Management 2013-11-08 20:00:05 UTC
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)