Bug 857492 - (CVE-2013-6458) VUL-0: CVE-2013-6458: libvirtd: qemu job usage issue in several API leading to libvirtd crash
(CVE-2013-6458)
VUL-0: CVE-2013-6458: libvirtd: qemu job usage issue in several API leading t...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:56202
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-06 08:47 UTC by Sebastian Krahmer
Modified: 2015-02-19 01:45 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2014-01-06 23:00:30 UTC
bugbot adjusting priority
Comment 2 James Fehlig 2014-01-27 19:10:58 UTC
This issue affects openSUSE12.3, 13.1, and Factory, plus SLES11 SP3 and SLES12.  For Factory and SLES12, the issue is fixed by updating to libvirt 1.2.1.  For openSUSE13.1, I've backported the patches and have them queued for a future maintenance update in

https://build.opensuse.org/package/show/Virtualization:openSUSE13.1/libvirt

For openSUSE12.3 

https://build.opensuse.org/package/show/Virtualization:openSUSE12.3/libvirt

For SLES11 SP3, the issue is fixed in latest 1.0.5.9 stable release, which I've added to our SP3 libvirt package

https://build.suse.de/package/show/Devel:Virt:SLE-11-SP3/libvirt

This issue also affects SLES11 SP2, but I'd rather avoid fixing it there if possible.  Is a fix for SLES11 SP2 required?
Comment 3 Swamp Workflow Management 2014-01-28 08:27:05 UTC
The SWAMPID for this issue is 56039.
This issue was rated as moderate.
Please submit fixed packages until 2014-02-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 James Fehlig 2014-02-11 05:36:25 UTC
I've submitted an updated libvirt package for the affected products.

SLES11SP3: submitreq#32278
openSUSE12.3: maintenancerequest#221742
openSUSE13.1: maintenancerequest#221743

Handing bug over to security.

Security:  For SLES11 SP3 SWAMPID#56039, can we also include the updated libvirt perl binding submitted via SR#28929?  Thanks!
Comment 7 James Fehlig 2014-02-11 05:37:15 UTC
Forgot to add myself to the cc list...
Comment 9 Marcus Meissner 2014-02-19 16:57:10 UTC
SLE11 SP1 and SLE10 SP4 and older do not have the code, so are not affected.
Comment 10 Swamp Workflow Management 2014-02-21 17:05:17 UTC
openSUSE-SU-2014:0268-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 817407,857271,857492,858817,858824,859041,859051
CVE References: CVE-2013-6457,CVE-2013-6458,CVE-2014-0028,CVE-2014-1447
Sources used:
openSUSE 13.1 (src):    libvirt-1.1.2-2.18.3
Comment 11 Swamp Workflow Management 2014-02-21 17:06:23 UTC
openSUSE-SU-2014:0270-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 857492,858817
CVE References: CVE-2013-6458,CVE-2014-1447
Sources used:
openSUSE 12.3 (src):    libvirt-1.0.2-1.14.1
Comment 12 Swamp Workflow Management 2014-03-03 09:52:47 UTC
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-64bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-devel-64bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 13 Swamp Workflow Management 2014-03-03 13:04:35 UTC
SUSE-SU-2014:0318-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 817407,857492,858817
CVE References: CVE-2013-6458,CVE-2014-1447
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libvirt-1.0.5.9-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    libvirt-1.0.5.9-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libvirt-1.0.5.9-0.7.1