Re: CVE request -- libvirt: double free of returned JSON array in qemuAgentGetVCPUs()

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 10:12 AM, Petr Matousek wrote:
> A part of the returned monitor response was freed twice and caused
> crashes of the daemon when using guest agent cpu count retrieval.
>
> A remote user able to issue commands to libvirt daemon could use this
> flaw to crash libvirtd or, potentially, escalate their privileges to
> that of libvirtd process.
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=986383
> https://bugzilla.redhat.com/show_bug.cgi?id=984821
> https://www.redhat.com/archives/libvir-list/2013-July/msg01035.html
>
> Upstream fix:
> http://libvirt.org/git/?p=libvirt.git;a=commit;h=dfc692350a04a70b4ca65667c30869b3bfdaf034
>
> Thanks,

Please use CVE-2013-4153 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR6W7sAAoJEBYNRVNeJnmTU0wP/0hqjTDC4k/q78f6dYuyUWub
dY+rtYt6tFI75ZZU68bmVO6WG6Z+mCB6eIhuD/ZbhHJfTjh3wscANZMe4u+rjTvq
ST0WuDZqX1eSmLoqIodeUD99Dq8Kp5xq1coFV/E8Oc+RqVsvCcK5nBWElCC/F9zY
aEI/1PU6govarwQpEd2lsydBmskRba2C+HBrCbdsQ8lLxyi+t6Jm+uSL0MrJ71zK
LOacxslYkhBUKnRgAq4f32rAFblTF3wOt8Ylq3aiwyM8Fq+3w7tc5c51lcfRrqIq
lh/O3UmjeJAmFvAQ6QT8uQagcC48awBl4LL5PtgsJk7vSrvqG6vuFbAIEJpH11l/
qTdg+cBkMf2Pa/TuaaFO+YfQ5b5hHiXbtcWRaTIPZG2jNnfEEGRtXTeXrCkcPypO
tIHGnDDqfr16D+rA6RvALiwGM2L43sJdCOgEd2XyuHdVTEuDcUYn16oLcBfnpy+f
e6QCojZ2abzETPBE+yDCLY29qI099dOQPJGV8QfLoHZrAvfdNT7k4Z+EbnKXYMcH
tJblsh+S6kkTD3atQgzdnui7+Y4V6ekMvgagTwZhl2hiRdh9Az8m3I7tWkSGuxRB
FWEzDIWd+FhFvyCCjt42eOaJrqtsoZHfXMe84hjoxJCW5hC1KG++DlXKUSFJh9q+
sMs1rVbzL2JpniwijU0v
=7o5x
-----END PGP SIGNATURE-----