The 'stats' variable in remoteDispatchDomainMemoryStats function was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. A remote user able to issue commands to libvirt daemon could use this flaw to crash libvirtd. Acknowledgements: This issue was discovered by Daniel P. Berrange of Red Hat.
Upstream commit: http://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f400a110e2e3673b96518170bfea0855dd82c0
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1009667]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1272 https://rhn.redhat.com/errata/RHSA-2013-1272.html
libvirt-0.10.2.8-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libvirt-1.0.5.6-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libvirt-1.1.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.