[Libvirt-announce] LSN-2014-0001: libvirtd crashes if client closes connection early

Fri Jan 17 14:27:45 UTC 2014

        Libvirt Security Notice: LSN-2014-0001
        ======================================

       Summary: libvirtd crashes if client closes connection early
   Reported on: 20140109
  Published on: 20131231
      Fixed on: 20140113
   Reported by: Jiri Denemar <jdenemar at redhat.com>                    
    Patched by: Jiri Denemar <jdenemar at redhat.com>                
      See also: CVE-2014-1447

Description
-----------

When a client closes its connection to libvirtd early during
virConnectOpen, more specifically just after making
REMOTE_PROC_CONNECT_SUPPORTS_FEATURE call to check if
VIR_DRV_FEATURE_PROGRAM_KEEPALIVE is supported without even waiting
for the result, libvirtd may crash due to a race in keep-alive
initialization.

Impact
------

A malicious unprivileged client can caus the libvirtd daemon to
crash leading to a denial of service

Workaround
----------

Disable keepalive feature in the libvirtd.conf configuration file

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v0.9.8
   Broken in: v0.9.9
   Broken in: v0.9.10
   Broken in: v0.9.11
   Broken in: v0.9.12
   Broken in: v0.9.13
   Broken in: v0.10.0
   Broken in: v0.10.1
   Broken in: v0.10.2
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
    Fixed in: v1.2.1
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 066c8ef6c18bc1faf8b3e10787b39796a7a06cc0

      Branch: v0.9.11-maint
   Broken in: v0.9.11.1
   Broken in: v0.9.11.2
   Broken in: v0.9.11.3
   Broken in: v0.9.11.4
   Broken in: v0.9.11.5
   Broken in: v0.9.11.6
   Broken in: v0.9.11.7
   Broken in: v0.9.11.8
   Broken in: v0.9.11.9
   Broken in: v0.9.11.10
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263

      Branch: v0.9.12-maint
   Broken in: v0.9.12.1
   Broken in: v0.9.12.2
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: c385db5994842466ad3afd3ec4414dc67e41f8d3

      Branch: v1.0.2-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 7fad864afa2f7137f5ebfa7874c70d2a2ca5c6b1

      Branch: v1.0.3-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: b24979a12fcb8fc82b3a52159d578e7eba2ca466

      Branch: v1.0.4-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 9b1e050856310ea688ba55668ffa6df31bd0d721

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 99f8d97aa7498ae06bfbefc0d4d71351d0831016

      Branch: v1.0.6-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 5055fe4b2db9927f02e3ec7e86f343fcc9e87879

      Branch: v1.1.0-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: c86813d5527c4e559dded3a7565dc420ac25c30e

      Branch: v1.1.1-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 08672cff7b2fe789bea4ebb1fed883c93b98ea0d

      Branch: v1.1.2-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 2842b103b1cd5d0872050a164b758967eb2e4be4

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: 8342adeffb260c564edd4d7279fcb8c3499a997f

      Branch: v1.1.4-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: eb365315ac7784817769704729a69d4a82a71b50

      Branch: v1.2.0-maint
   Broken by: f4324e32927580e3620f0de3a0ec80334936e263
    Fixed by: a19f700b642115963ce6007cf22945870c9e8616

-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|