On 01/29/2013 07:05 PM, Jim Fehlig wrote: >>> Mention CVE-2013-0170 in the commit message, now that it is public: >>> https://bugzilla.redhat.com/show_bug.cgi?id=893450 >>> >>>> >>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead: >>>> - avoid use after free of RPC messages >>>> --- >>>> src/rpc/virnetserverclient.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>> >>> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. >> >> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2 >> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was >> introduced in 0.9.7 > > Hi Peter, > > Looks like 0.9.6 was vulnerable since this made its way to the > v0.9.6-maint branch as well. Do you happen to know when this was > introduced? I did some more research: The original problem was introduced in commit 4e00b1d (libvirt 0.9.3), when we switched over to new RPC handling; there, we only had one faulty error path. Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the problem, by adding two more faulty error paths. Peter's test case when originally reporting the CVE was on one of the error paths added in 0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I still think it is possible to trigger the remaining faulty error path when targeting libvirt 0.9.3, and agree with Cole's backport to the v0.9.6-maint branch. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list