Bug 844745
| Summary: | CVE-2012-3445 libvirt: crash in virTypedParameterArrayClear [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Matousek <pmatouse> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 16 | CC: | berrange, clalancette, dougsland, eblake, itamar, jforbes, jyang, laine, libvirt-maint, veillard, virt-maint |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-22 21:11:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 844734 | ||
|
Description
Petr Matousek
2012-07-31 15:39:48 UTC
I've gone ahead and backported this commit:
commit 6039a2cb49c8af4c68460d2faf365a7e1c686c7b
Author: Jiri Denemark <jdenemar>
Date: Mon Jul 30 12:14:54 2012 +0200
daemon: Fix crash in virTypedParameterArrayClear
Daemon uses the following pattern when dispatching APIs with typed
parameters:
VIR_ALLOC_N(params, nparams);
virDomain*(dom, params, &nparams, flags);
virTypedParameterArrayClear(params, nparams);
In case nparams was originally set to 0, virDomain* API would fill it
with the number of typed parameters it can provide and we would use this
number (rather than zero) to clear params. Because VIR_ALLOC* returns
non-NULL pointer even if size is 0, the code would end up walking
through random memory. If we were lucky enough and the memory contained
7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a
random pointer and crash.
Let's make sure params stays NULL when nparams is 0.
into v0.9.{6,11}-maint, which means the next release cut from those two branches will fix F16 and F17. Rawhide will be fixed when it rebases to 0.10.0-rc0 or newer. Therefore, I'm moving this to POST.
libvirt-0.9.6.2-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libvirt-0.9.6.2-1.fc16 Package libvirt-0.9.6.2-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-0.9.6.2-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11843/libvirt-0.9.6.2-1.fc16 then log in and leave karma (feedback). libvirt-0.9.6.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |