Bug 953107 (CVE-2013-1962)

Summary: CVE-2013-1962 libvirt: DoS (max count of open files exhaustion) due sockets leak in the storage pool
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, berrange, dyasny, eblake, jdenemar, jtomko, pmatouse, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130516,reported=20130412,source=redhat,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/libvirt=notaffected,rhel-6/libvirt=affected,fedora-all/libvirt=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-16 16:56:20 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 947044, 952780, 957585, 961593, 963789    
Bug Blocks: 953122    
Attachments:
Description Flags
Proposed patch from Jan Tomko to correct the deficiency none

Description Jan Lieskovsky 2013-04-17 07:43:18 EDT
A denial of service flaw was found in the way storage pool manager of libvirt, a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes), performed management of socket file descriptors when 'to list all volumes for the particular pool' request was issued (two socket file descriptors were leaked per "list all pool volumes" request). An uprivileged user could use this flaw to cause denial of service (make libvirtd daemon to exhaust / reach the maximum count of open file descriptors, the libvirtd daemon process was allowed to open, possibly preventing other users from use of libvirtd services till the libvirtd daemon was restarted).

Acknowledgements:

Red Hat would like to thank Edoardo Comar of IBM for reporting this issue.
Comment 3 Jan Lieskovsky 2013-04-17 07:57:51 EDT
Created attachment 736816 [details]
Proposed patch from Jan Tomko to correct the deficiency
Comment 4 Jan Lieskovsky 2013-04-17 08:09:07 EDT
This issue did NOT affect the version of the libvirt package, as shipped with Red Hat Enterprise Linux 5.

--

This issue affects the version of the libvirt package, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the version of the libvirt package, as shipped with Fedora release of 17 (as it did NOT support the StoragePoolListAllVolumes API yet).

This issue affects the version of the libvirt package, as shipped with Fedora release of 18.
Comment 5 Jan Lieskovsky 2013-04-17 08:22:49 EDT
The CVE identifier of CVE-2013-1962 has been assigned to this issue.
Comment 9 Petr Matousek 2013-05-16 10:15:54 EDT
Upstream patch:

https://www.redhat.com/archives/libvir-list/2013-May/msg01222.html
Comment 10 errata-xmlrpc 2013-05-16 10:34:25 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0831 https://rhn.redhat.com/errata/RHSA-2013-0831.html
Comment 11 Petr Matousek 2013-05-16 10:35:46 EDT
Created libvirt tracking bugs for this issue

Affects: fedora-all [bug 963789]