Bug 980112 (CVE-2013-2218)

Daniel P. Berrange reported:

"As non-root, simply run:

  # virsh -c qemu:///system --readonly iface-list --inactive                                                                                                                                                   

The libvirtd daemon will crash with one of a number of different
stack traces, for example:

*** Error in `/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd': invalid fastbin entry (free): 0x00007f03fc02a1b0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3cd5e7cef8)[0x7f0425cf7ef8]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virFree+0x2e)[0x7f04293fd79e]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogVMessage+0x37d)[0x7f042942384d]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virLogMessage+0x97)[0x7f0429423b27]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virObjectUnref+0x65)[0x7f04294324d5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virIdentitySetCurrent+0x35)[0x7f042941ae25]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(virNetServerProgramDispatch+0x392)[0x7f0429539be2]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0x195d68)[0x7f0429533d68]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa62e5)[0x7f04294442e5]
/home/berrange/src/virt/libvirt/src/.libs/libvirt.so.0(+0xa594e)[0x7f042944394e]
/lib64/libpthread.so.0(+0x3cd6207c53)[0x7f0426449c53]
/lib64/libc.so.6(clone+0x6d)[0x7f0425d6fecd]

Looking at the code, we have a double-free of the 'struct netcf_if'
object when any of the filtering flags are set. Hence this only
happens if you pass  '--inactive' to virsh."

Upstream fix:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=244e0b8cf15ca2ef48d82058e728656e6c4bad11

Acknowledgements:

This issue was discovered by Daniel P. Berrange of Red Hat.