Bugzilla – Bug 897783
VUL-1: CVE-2014-3633: libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index
Last modified: 2015-03-25 15:58:58 UTC
via rh bugzilla and libvirt It was found that when a disk is attached to a disk "live" (thus not written into the persistent configuration) and then the statistics for the disks are requested from the persistent configuration, index to the array is determined from the live configuration but used in the persistent. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. Acknowledgements: This issue was discovered by Luyao Huang of Red Hat. http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b;hp=281f70013e9d6fff7f2d4b55f5133a837f023190 https://bugzilla.redhat.com/show_bug.cgi?id=1141131
I've already fixed this in SLE12 RC4/GMC (SR#44409), SLE11 SP3, Factory (SR#251486), 13.1, and even 12.3!
This is an autogenerated message for OBS integration: This bug (897783) was mentioned in https://build.opensuse.org/request/show/251486 Factory / libvirt
thanks jim, than we can just close this again. :)
What about SLES11 SP3? Should I just queue the fix for a future virt tools update? WRT openSUSE12.3 and 13.1, IMO it is fine to wait until the embargo lifts on the newest issue (CVE-2014-3657), and submit updates that include fixes for both CVEs.
You wrote "I already fixed this for SLES 11 SP3..." ? what did that mean? We have not published updates, or did we?
Affected packages: SLE-11-SP3: libvirt SLE-11-SP3-PRODUCTS: libvirt SLE-11-SP3-UPTU: libvirt SLE-12: libvirt
Sorry for the confusion. By fixed, I meant the fix has been applied to the libvirt package in the various devel projects, e.g. IBS Devel:Virt:{SLE-12,SLE-11-SP3}, OBS Virtualization:openSUSE13.1, etc. But only the SLE12 and Factory packages have been submitted.
> We have not published updates, or did we? No, updates have not been published. And as I wrote in #5, we should wait for CVE-2014-3657 embargo to lift before doing so.
Ok, CVE-2014-3657 is now public. I've added a fix for it, and this CVE, to all affected libvirt packages. For openSUSE12.3, started maintenancereq #253679 For openSUSE13.1, started maintenancereq #253680 For SLE11 SP3, have the fix queued for a future maintenance update Fix is already included in SLE12 GA Factory is not affected since the fix is included in libvirt 1.2.9 AFAIK, I'm done here. Passing bug to security...
SUSE-SU-2015:0357-1: An update that solves 6 vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 843074,852397,878350,879665,897654,897783,899144,899484,900084,904176,905097,907805,908381,910145,911742 CVE References: CVE-2014-3633,CVE-2014-3640,CVE-2014-3657,CVE-2014-7823,CVE-2014-7840,CVE-2014-8106 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.6 SUSE Linux Enterprise Server 11 SP3 (src): kvm-1.4.2-0.21.4, kvm-1.4.2-0.21.5, libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.5, libvirt-1.0.5.9-0.19.6 SUSE Linux Enterprise Desktop 11 SP3 (src): kvm-1.4.2-0.21.4, libvirt-1.0.5.9-0.19.3
openSUSE update didn't show up here for some reason, but they were release. SLES is also fixed