Bug 1172569 (CVE-2014-8131)

Summary: CVE-2014-8131 libvirt: deadlock and segfault in qemuConnectGetAllDomainStats
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aavati, agedosier, berrange, bsarathy, carnil, clalancette, eblake, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, nlevinki, pkrempa, rbalakri, rfortier, rhs-bugs, shaines, smohan, ssaha, vbellur, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-10 11:40:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1172570, 1172571    
Bug Blocks: 1172575    

Description Petr Matousek 2014-12-10 11:39:34 UTC
When user doesn't have read access on one of the domains he requested,
the for loop in qemuConnectGetAllDomainStats() could exit abruptly or
continue and override pointer which pointed to locked object.

With certain configuration, this can either cause a deadlock (it leaves a
domain locked) or a segmentation fault when domain object has its reference
counter decremented when it was not incremented.

With certain configuration, a remote attacker able to establish a read-only
connection to libvirtd could use this flaw to caus denial of service condition
or crash libvirtd.

Introduced by:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=d1bde8ed
http://libvirt.org/git/?p=libvirt.git;a=commit;h=1f4831ee

Upstream patches:
https://www.redhat.com/archives/libvir-list/2014-December/msg00551.html
https://www.redhat.com/archives/libvir-list/2014-December/msg00600.html

Comment 1 Petr Matousek 2014-12-10 11:40:08 UTC
Statement:

Not vulnerable.

This issue does not affect the versions of libvirt packages as shipped with
Red Hat Enterprise Linux 5, 6 and 7.

Comment 3 Petr Matousek 2014-12-10 11:40:57 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1172571]

Comment 4 Petr Matousek 2015-01-05 10:00:33 UTC
Upstream advisory:

http://security.libvirt.org/2014/0008.html

Comment 5 Fedora Update System 2015-02-15 03:06:51 UTC
libvirt-1.2.9.2-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.