Bug 717199 (CVE-2011-2511)

Summary: CVE-2011-2511 libvirt: integer overflow in VirDomainGetVcpus
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajia, aquini, berrange, clalance, crobinso, eblake, itamar, jforbes, laine, libvirt-maint, vbian, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-04 20:14:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 717202, 717203, 717204, 717206, 717207    
Bug Blocks:    

Description Petr Matousek 2011-06-28 11:15:54 UTC 
It has been found that calling VirDomainGetVcpus with bogus parameters can lead to integer overflow and subsequent heap corruption. A remote attacker could use this flaw to crash libvirtd (DoS).

Upstream patch:
https://www.redhat.com/archives/libvir-list/2011-June/msg01278.html
Comment 3 Petr Matousek 2011-06-28 11:27:21 UTC 
Created libvirt tracking bugs for this issue

Affects: fedora-all [bug 717204]
Comment 5 errata-xmlrpc 2011-07-21 10:31:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1019 https://rhn.redhat.com/errata/RHSA-2011-1019.html
Comment 6 errata-xmlrpc 2011-07-21 12:30:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1019 https://rhn.redhat.com/errata/RHSA-2011-1019.html
Comment 7 errata-xmlrpc 2011-08-23 14:40:29 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1197 https://rhn.redhat.com/errata/RHSA-2011-1197.html
Comment 8 Eric Blake 2012-10-04 16:48:19 UTC 
Any reason this bug is still marked NEW when all dependent bugs have been closed?
Comment 9 Petr Matousek 2012-10-04 20:14:28 UTC 
(In reply to comment #8)
> Any reason this bug is still marked NEW when all dependent bugs have been
> closed?

No reason, we can close this bug now. Thanks Eric.