[Pkg-libvirt-maintainers] Bug#887700: Bug#887700: libvirt: CVE-2018-5748: resource exhaustion via qemuMonitorIORead() method
carnil at debian.org
Fri Jan 19 08:54:32 UTC 2018
On Fri, Jan 19, 2018 at 09:45:13AM +0100, Guido Günther wrote:
> control: -1 found 0.9.12.3-1+deb7u2
> Hi Salvatore,
> On Fri, Jan 19, 2018 at 09:00:03AM +0100, Salvatore Bonaccorso wrote:
> > Source: libvirt
> > Version: 1.2.9-9
> > Severity: important
> > Tags: security upstream
> > Hi,
> > the following vulnerability was published for libvirt.
> > CVE-2018-5748:
> > resource exhaustion via qemuMonitorIORead() method
> > Further reference in the Red Hat bug .
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > For further information see:
> >  https://security-tracker.debian.org/tracker/CVE-2018-5748
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
> >  https://bugzilla.redhat.com/show_bug.cgi?id=1528396
> > Please adjust the affected versions in the BTS as needed, please
> > double-check.
> Thanks! I wanted to update libvirt in stretch anyway so I'll add it
> Any reason why you picked 1.2.9-9? AFAIK none of the versions had
> resource limits on monitor reads - or did I overlook something?
No particular reason, this was the earlierst version I wanted to track
at least for the BTS. But you are right that the issue possibly goes
back to upstream/0.9.7_rc1 so your control update looks right to me!
I was not meaning to indicate that the issue got introduced in 1.2.9
upstream but rather that I looked at that one earliest (sourcewise
only in this case) and appered to be affected as well.
More information about the Pkg-libvirt-maintainers