[Pkg-libvirt-commits] [libvirt] 01/02: CVE-2013-4296: Fix crash in remoteDispatchDomainMemoryStats
Guido Guenther
agx at alioth.debian.org
Mon Sep 23 12:05:18 UTC 2013
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to annotated tag debian/0.9.12-11+deb7u4
in repository libvirt.
commit e91a86ad1b9d839d430074155db6fdb5f2dc3979
Author: Guido Günther <agx at sigxcpu.org>
Date: Mon Sep 9 13:11:04 2013 +0200
CVE-2013-4296: Fix crash in remoteDispatchDomainMemoryStats
Thanks: "Daniel P. Berrange"
---
...-crash-in-remoteDispatchDomainMemoryStats.patch | 37 ++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 38 insertions(+)
diff --git a/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch b/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
new file mode 100644
index 0000000..32004a2
--- /dev/null
+++ b/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
@@ -0,0 +1,37 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Mon, 9 Sep 2013 13:08:20 +0200
+Subject: Fix crash in remoteDispatchDomainMemoryStats
+
+The 'stats' variable was not initialized to NULL, so if some
+early validation of the RPC call fails, it is possible to jump
+to the 'cleanup' label and VIR_FREE an uninitialized pointer.
+This is a security flaw, since the API can be called from a
+readonly connection which can trigger the validation checks.
+
+This was introduced in release v0.9.1 onwards by
+
+ commit 158ba8730e44b7dd07a21ab90499996c5dec080a
+ Author: Daniel P. Berrange <berrange at redhat.com>
+ Date: Wed Apr 13 16:21:35 2011 +0100
+
+ Merge all returns paths from dispatcher into single path
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+
+---
+ daemon/remote.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 4ece019..7d72b0a 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1060,7 +1060,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
+ remote_domain_memory_stats_ret *ret)
+ {
+ virDomainPtr dom = NULL;
+- struct _virDomainMemoryStat *stats;
++ struct _virDomainMemoryStat *stats = NULL;
+ int nr_stats, i;
+ int rv = -1;
+ struct daemonClientPrivate *priv =
diff --git a/debian/patches/series b/debian/patches/series
index 60bcbee..d94c3a3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ debian/Allow-xen-toolstack-to-find-it-s-binaries.patch
fix-leak-virStorageBackendLogicalMakeVol.patch
upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
upstream/Fix-race-condition-when-destroying-guests.patch
+security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list