Bug 857133 (CVE-2012-4423)

Summary: CVE-2012-4423 libvirt: null function pointer invocation in virNetServerProgramDispatchCall()
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, berrange, bsarathy, clalancette, cwei, dyuan, eblake, itamar, jforbes, jyang, laine, libvirt-maint, mzhan, veillard, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120724,reported=20120913,source=redhat,cvss2=3.3/AV:A/AC:L/Au:N/C:N/I:N/A:P,rhel-5/libvirt=notaffected,rhel-6/libvirt=affected,fedora-all/libvirt=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 09:57:38 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 842947, 857134, 857135    
Bug Blocks: 857152, 861008    

Description Petr Matousek 2012-09-13 12:14:43 EDT
It has been found that sending RPC message with an event as the RPC number, or RPC number that falls into gap in the RPC dispatch table, can lead to libvirtd accessing memory at page zero. A remote attacker could use this flaw to crash libvirtd (DoS).

Proposed upstream fix:
Comment 1 Petr Matousek 2012-09-13 12:15:39 EDT

The versions of libvirt as shipped with Red Hat Enterprise Linux 5 are not affected.

This issue did affect the versions of the libvirt package as shipped with Red Hat Enterprise Linux 6.
Comment 3 Petr Matousek 2012-09-13 12:17:55 EDT
Created libvirt tracking bugs for this issue

Affects: fedora-all [bug 857135]
Comment 4 Murray McAllister 2012-09-17 23:45:54 EDT

This issue was discovered by Wenlong Huang of the Red Hat Virtualization QE Team.
Comment 5 errata-xmlrpc 2012-10-11 09:24:23 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1359 https://rhn.redhat.com/errata/RHSA-2012-1359.html