oss-sec mailing list archives

CVE request -- libvirt: double free of returned JSON array in qemuAgentGetVCPUs()

From: Petr Matousek <pmatouse () redhat com>
Date: Fri, 19 Jul 2013 18:12:57 +0200

A part of the returned monitor response was freed twice and caused
crashes of the daemon when using guest agent cpu count retrieval.

A remote user able to issue commands to libvirt daemon could use this
flaw to crash libvirtd or, potentially, escalate their privileges to
that of libvirtd process.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=986383
https://bugzilla.redhat.com/show_bug.cgi?id=984821
https://www.redhat.com/archives/libvir-list/2013-July/msg01035.html

Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=dfc692350a04a70b4ca65667c30869b3bfdaf034

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE request -- libvirt: double free of returned JSON array in qemuAgentGetVCPUs() Petr Matousek (Jul 19)
- Re: CVE request -- libvirt: double free of returned JSON array in qemuAgentGetVCPUs() Kurt Seifried (Jul 19)