Eric Blake wrote: > On 01/29/2013 07:05 PM, Jim Fehlig wrote: > > >>>> Mention CVE-2013-0170 in the commit message, now that it is public: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=893450 >>>> >>>> >>>>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead: >>>>> - avoid use after free of RPC messages >>>>> --- >>>>> src/rpc/virnetserverclient.c | 3 +++ >>>>> 1 file changed, 3 insertions(+) >>>>> >>>> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. >>>> >>> Thanks. I added the CVE notice and pushed to upstream and the v0.10.2 >>> and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was >>> introduced in 0.9.7 >>> >> Hi Peter, >> >> Looks like 0.9.6 was vulnerable since this made its way to the >> v0.9.6-maint branch as well. Do you happen to know when this was >> introduced? >> > > I did some more research: > Eric, Thank you for the research and explanation, it was not expected but very much appreciated. I was actually having quite the RTFM moment after asking this question... Regards, Jim > The original problem was introduced in commit 4e00b1d (libvirt 0.9.3), > when we switched over to new RPC handling; there, we only had one faulty > error path. Later, commit 3ae0ab67 (libvirt 0.9.7) exacerbated the > problem, by adding two more faulty error paths. Peter's test case when > originally reporting the CVE was on one of the error paths added in > 0.9.7, hence his claim that "the problem was introduced in 0.9.7"; but I > still think it is possible to trigger the remaining faulty error path > when targeting libvirt 0.9.3, and agree with Cole's backport to the > v0.9.6-maint branch. > > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list