[libvirt] LSN-2013-0021: libvirtd crash during seamless SPICE migration

Eric Blake eblake at redhat.com
Wed Mar 19 19:56:17 UTC 2014 

[this is an older issue, but it was just barely assigned a CVE this week]

        Libvirt Security Notice: LSN-2013-0021
        ======================================

       Summary: libvirtd crash during seamless SPICE migration
   Reported on: 20130919
  Published on: 20130919
      Fixed on: 20130920
   Reported by: Marian Krcmarik <mkrcmari at redhat.com>
    Patched by: Martin Kletzander <mkletzan at redhat.com>
      See also: CVE-2013-7336

Description
-----------

When migrating a guest with a live SPICE connection, the source
libvirtd did not properly track that the migration job was still
waiting for status from the handshakes involved in seamless
migration.

Impact
------

If another client was querying domain status at the same time as the
ongoing seamless SPICE migration, the incorrect job status could
lead to memory corruption and a crash of libvirtd on the source side
of the migration. As queries can be performed by an unprivileged
user, this can be used to inflict a denial of service attack on
other users of the libvirtd daemon with higher privilege.

Workaround
----------

The impact can be mitigated by blocking access to the read-only
libvirtd UNIX domain socket, with policykit or the 'auth_unix_ro'
parameter in '/etc/libvirt/libvirtd.conf'. If ACLs are active, the
'read' permission should be removed from any untrusted users. This
will not prevent the crash, but will stop unprivileged users from
inflicting the denial of service on higher privileged users.
Additionally, avoiding SPICE seamless migration is sufficient to
avoid the problem.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
    Fixed in: v1.1.3
   Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
    Fixed by: 484cc3217b73b865f00bf42a9c12187b37200699

      Branch: v1.1.0-maint
   Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
    Fixed by: 476d0e38af11f3ff50d85e3f7aecad4cd8208c76

      Branch: v1.1.1-maint
   Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
    Fixed by: fea2550974137918c2bc9e01f3eb00421585450c

      Branch: v1.1.2-maint
   Broken by: 9da7b11bcd3e9732dd881a9e6158a0c98bafd9fe
    Fixed by: b6ea7abcf72d7d0aaf90e17aa8e8e88db8f778ea



-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140319/51a358ad/attachment-0001.sig>

More information about the libvir-list mailing list