[Libguestfs] ATTN: Denial of service attack possible on libguestfs 1.21.x, libguestfs.1.22.0

Richard W.M. Jones rjones at redhat.com
Fri May 31 07:35:28 UTC 2013

On Fri, May 31, 2013 at 01:03:24AM +0200, Olaf Hering wrote:
> #2  0x00007ffff7b7936c in guestfs___safe_strdup (g=0x65da50, str=0x0) at alloc.c:96
> #3  0x00007ffff7b8b65e in parse_suse_release (filename=<optimized out>, fs=<optimized out>, g=<optimized out>) at inspect-fs-unix.c:343

This is a different problem:

  lines = guestfs_head_n (g, 10, filename);
  if (lines == NULL)
    return -1;

  /* First line is dist release name */
  fs->product_name = safe_strdup (g, lines[0]);   <<<---
  if (fs->product_name == NULL)
    goto out;

The code doesn't check that lines[0] != NULL.

I don't see a problem in parse_lsb_release however.  Do you have a
stack trace from that?


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.

More information about the Libguestfs mailing list