[Pkg-libvirt-maintainers] Bug#887700: Bug#887700: libvirt: CVE-2018-5748: resource exhaustion via qemuMonitorIORead() method

[Guido Günther]

Hi,
On Fri, Jan 19, 2018 at 09:54:32AM +0100, Salvatore Bonaccorso wrote:
> hi!
> 
> On Fri, Jan 19, 2018 at 09:45:13AM +0100, Guido Günther wrote:
> > control: -1 found 0.9.12.3-1+deb7u2
> > 
> > Hi Salvatore,
> > On Fri, Jan 19, 2018 at 09:00:03AM +0100, Salvatore Bonaccorso wrote:
> > > Source: libvirt
> > > Version: 1.2.9-9
> > > Severity: important
> > > Tags: security upstream
> > > 
> > > Hi,
> > > 
> > > the following vulnerability was published for libvirt.
> > > 
> > > CVE-2018-5748[0]:
> > > resource exhaustion via qemuMonitorIORead() method
> > > 
> > > Further reference in the Red Hat bug [1].
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-5748
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5748
> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1528396
> > > 
> > > Please adjust the affected versions in the BTS as needed, please
> > > double-check.
> > 
> > Thanks! I wanted to update libvirt in stretch anyway so I'll add it
> > there.
> 
> Thank you!
> 
> > Any reason why you picked 1.2.9-9? AFAIK none of the versions had
> > resource limits on monitor reads - or did I overlook something?
> 
> No particular reason, this was the earlierst version I wanted to track
> at least for the BTS. But you are right that the issue possibly goes
> back to upstream/0.9.7_rc1 so your control update looks right to me!
> 
> I was not meaning to indicate that the issue got introduced in 1.2.9
> upstream but rather that I looked at that one earliest (sourcewise
> only in this case) and appered to be affected as well.

Ahh...good to know. I checked wheezy and it is indeed affected as well.
Cheers,
 -- Guido