[Pkg-libvirt-maintainers] Bug#887700: Bug#887700: libvirt: CVE-2018-5748: resource exhaustion via qemuMonitorIORead() method
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 19 08:54:32 UTC 2018
hi!
On Fri, Jan 19, 2018 at 09:45:13AM +0100, Guido Günther wrote:
> control: -1 found 0.9.12.3-1+deb7u2
>
> Hi Salvatore,
> On Fri, Jan 19, 2018 at 09:00:03AM +0100, Salvatore Bonaccorso wrote:
> > Source: libvirt
> > Version: 1.2.9-9
> > Severity: important
> > Tags: security upstream
> >
> > Hi,
> >
> > the following vulnerability was published for libvirt.
> >
> > CVE-2018-5748[0]:
> > resource exhaustion via qemuMonitorIORead() method
> >
> > Further reference in the Red Hat bug [1].
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-5748
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1528396
> >
> > Please adjust the affected versions in the BTS as needed, please
> > double-check.
>
> Thanks! I wanted to update libvirt in stretch anyway so I'll add it
> there.
Thank you!
> Any reason why you picked 1.2.9-9? AFAIK none of the versions had
> resource limits on monitor reads - or did I overlook something?
No particular reason, this was the earlierst version I wanted to track
at least for the BTS. But you are right that the issue possibly goes
back to upstream/0.9.7_rc1 so your control update looks right to me!
I was not meaning to indicate that the issue got introduced in 1.2.9
upstream but rather that I looked at that one earliest (sourcewise
only in this case) and appered to be affected as well.
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list