Re: CVE Request -- libvirt: memory corruption in xenDaemonListDefinedDomains function

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2013 12:19 PM, Petr Matousek wrote:
> Commit 632180d1 introduced memory corruption in 
> xenDaemonListDefinedDomains() by starting to populate the names
> array at index -1, causing all sorts of havoc in libvirtd such as
> aborts like the following
>
> *** Error in `/usr/sbin/libvirtd': double free or corruption
> (out): 0x00007fffe00ccf20 ***
>
> The xenDaemonListDefinedDomains() function is reached by the 
> virConnectListDefinedDomains() public API, which can be used on 
> read-only connections.
>
> Introduced in: libvirt v1.1.1
>
> Introduced by: 
> http://libvirt.org/git/?p=libvirt.git;a=commit;h=632180d1
>
> Fixed by: 
> http://libvirt.org/git/?p=libvirt.git;a=commit;h=0e671a16
>
> Reference: https://bugzilla.redhat.com/show_bug.cgi?id=996241
>
> Thanks,

Please use CVE-2013-4239 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSCUKbAAoJEBYNRVNeJnmTP4UP/334HI3Q+UKvpZ65UAhEigCH
pFtwVcyCOgyAVjI36ZyfuWBDBJNYlMSYo1tEEl3cbEIRPaISt+98TI/ZCK+itpcn
b3JEgShTGxN/gnxwNbu6NjzoiGHc/fIoiGeiUTc78xl3/eBPIehThAw7jDoRRBWa
bM5cphZtQAWYrlzOj60DZ3QPqBUJbkpCdFLgVmgjXDo2RbeZTKxXHyQ3/1tBrCgV
GPpnc+2+YXDeKqbZQr1SKfzmi7BYUvYK2XD+TE6FNfJxsjAa+tg+ALxOLZXsxs/j
moX98uyNFu5lsrAIF0idyFDVoLI8JFWZnO0e4P6cm+hYk5BKXHW2rAoDu/ZD4JqM
2W+X5QUYZ3f0RKtIQZ+26f7SIu7TbE5cGX3d/vWEuOD/XAO0Yn1lkid7e6zVVuJx
gqI8SSGVlNMbAKOTD7JaPu8NulKa+KdjT7vUrNz3uGD5yW1i8MNgwn6uGR6t5QJy
73Ec0ze7UUPjwS9kLOq16OonezF8wmzll8QhwP6ZGMQQpFKV4hAtLsbBruCISsjn
REob17GN0RI1KicZZz91c9rAhF1ogjhSK6xqrgNN2gyzycL7DGwsqlrNLDGd0u13
4WHoExaUEk262pIivcIdNiaUJXAFV8gBbLOPade9VTluPd8MuEiHAPHVeRvlB79r
Ae3hpuCBnfJetHcm6zPl
=7B7x
-----END PGP SIGNATURE-----