[Pkg-libvirt-maintainers] Bug#1080218: libvirt: CVE-2024-8235
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 31 19:58:39 BST 2024
Source: libvirt
Version: 10.6.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libvirt.
CVE-2024-8235[0]:
| A flaw was found in libvirt. A refactor of the code fetching the
| list of interfaces for multiple APIs introduced a corner case on
| platforms where allocating 0 bytes of memory results in a NULL
| pointer. This corner case would lead to a NULL-pointer dereference
| and subsequent crash of virtinterfaced. This issue could allow
| clients connecting to the read-only socket to crash the
| virtinterfaced daemon.
A note on the severity: Technically I think 'important' would have
been more appropriate. Still ideally this needs to be fixed for
trixie, so raise the level such that it appears on the radar before
the trixie freeze. I expect anyway that pkg-libvirt-maintainers are
reactive enough on bugfixes, so if you feel strong about it please do
downgrade the severity.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-8235
https://www.cve.org/CVERecord?id=CVE-2024-8235
[1] https://gitlab.com/libvirt/libvirt/-/commit/8dfb12cb77996519901b8d52c754ab564ebd10e8
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list