Bug 2263841 (CVE-2024-1441)
Summary: | CVE-2024-1441 libvirt: off-by-one error in udevListInterfacesByStatus() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | ASSIGNED --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ailan, berrange, ddepaula, eblake, jdenemar, jferlan, jmaloy, jsuchane, knoel, pkrempa, security-response-team, ymankad |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libvirt 10.1.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2268983 | ||
Bug Blocks: | 2263866 |
Description
Mauro Matteo Cascella
2024-02-12 12:10:32 UTC
The embargo can be removed as the fix was already pushed upstream as commit c664015fe3a7bf59db26686e9ed69af011c6ebb8 Refs: v10.1.0-rc2-5-gc664015fe3 Author: Martin Kletzander <mkletzan> AuthorDate: Tue Feb 27 16:20:12 2024 +0100 Commit: Jiri Denemark <jdenemar> CommitDate: Fri Mar 1 11:52:27 2024 +0100 Fix off-by-one error in udevListInterfacesByStatus Ever since this function was introduced in 2012 it could've tried filling in an extra interface name. That was made worse in 2019 when the caller functions started accepting NULL arrays of size 0. This is assigned CVE-2024-1441. Signed-off-by: Martin Kletzander <mkletzan> Reported-by: Alexander Kuznetsov <kuznetsovam> Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 Reviewed-by: Ján Tomko <jtomko> Thanks for the heads-up, Jiri. Embargo lifted accordingly. Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 2268983] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2560 https://access.redhat.com/errata/RHSA-2024:2560 |