Debian Libvirt vulnerabilities

CVE-2013-6458 [MEDIUM] CVE-2013-6458: libvirt - Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockIn... Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command. Scope: loca

CVE-2013-4399 [MEDIUM] CVE-2013-4399: libvirt - The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, wh... The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cause a denial of service (use-after-free and crash) by registering an event handler and then closing the connection. Scope: local bookworm: resolved (fixed in 1.1.4-1) bul

CVE-2013-4296 [MEDIUM] CVE-2013-4296: libvirt - The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1... The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0.10.2.x before 0.10.2.8, 1.0.x before 1.0.5.6, and 1.1.x before 1.1.2 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a crafted RPC call. Scope: local bookworm: resolved (fixed in 1.1.4-1) bullseye: reso

CVE-2013-2218 [MEDIUM] CVE-2013-2218: libvirt - Double free vulnerability in the virConnectListAllInterfaces method in interface... Double free vulnerability in the virConnectListAllInterfaces method in interface/interface_backend_netcf.c in libvirt 1.0.6 allows remote attackers to cause a denial of service (libvirtd crash) via a filtering flag that causes an interface to be skipped, as demonstrated by the "virsh iface-list --inactive" command. Scope: local bookworm: resolved (fixed in 1.1.0-1)

CVE-2013-4291 [MEDIUM] CVE-2013-4291: libvirt - The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and... The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the domain has read an uid:gid label, does not properly set group memberships, which allows local users to gain privileges. Scope: local bookworm: resolved (fixed in 1.1.2-2) bullseye: resolved (fixed in 1.1.2-2) forky: resolved (fixed in 1.1.2-2) sid: resolved (fixed in 1.1

CVE-2013-6456 [MEDIUM] CVE-2013-6456: libvirt - The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local us... The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot

CVE-2013-4154 [MEDIUM] CVE-2013-4154: libvirt - The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not... The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command. Scope: local bookworm: resolved (fixed in 1.1.0-4) bullseye: resolved

CVE-2013-1962 [MEDIUM] CVE-2013-1962: libvirt - The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager... The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of requests "to list all volumes for the particular pool." Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-4292 [LOW] CVE-2013-4292: libvirt - libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory ... libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a large number of domain migrate parameters in certain RPC calls in (1) daemon/remote.c and (2) remote/remote_driver.c. Scope: local bookworm: resolved (fixed in 1.1.2~rc2-1) bullseye: resolved (fixed in 1.1.2~rc2-1) forky: resolved (fixed in 1.1.2~rc2-1) sid: resolved (fix

CVE-2013-7336 [LOW] CVE-2013-7336: libvirt - The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt befor... The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function. Sco

CVE-2013-1766 [LOW] CVE-2013-1766: libvirt - libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which al... libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to write to these files via unspecified vectors. Scope: local bookworm: resolved (fixed in 0.9.12-8) bullseye: resolved (fixed in 0.9.12-8) forky: resolved (fixed in 0.9.12-8) sid: resolved (fixed in 0.9.12-8) trixie: resolved (fixed in 0.9.12-8)

CVE-2013-4311 [HIGH] CVE-2013-4311: libvirt - libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.... libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. Scope: local bookworm: resolved (fixed in 1.1.3~rc1-1) bullseye: reso

CVE-2013-6436 [LOW] CVE-2013-6436: libvirt - The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 thr... The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command. Scope: local book

CVE-2012-4423 [MEDIUM] CVE-2012-4423: libvirt - The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows rem... The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table. Scope: local bookworm: resolved (fixed in 0.9.12-5) bullseye: resolve

CVE-2012-3445 [LOW] CVE-2012-3445: libvirt - The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly han... The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API calls with typed parameters, which might allow remote authenticated users to cause a denial of service (libvirtd crash) via an RPC command with nparams set to zero, which triggers an out-of-bounds read or a free of an invalid pointer. Scope: local bookworm: resolved (fixe

CVE-2012-2693 [LOW] CVE-2012-2693: libvirt - libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual... libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices. Scope: local bookworm: resolved (fixed in 0.9.12-1) bullseye: resolved (fixed in 0.9.12-1) fork

CVE-2011-2178 [MEDIUM] CVE-2011-2178: libvirt - The virSecurityManagerGetPrivateData function in security/security_manager.c in ... The virSecurityManagerGetPrivateData function in security/security_manager.c in libvirt 0.8.8 through 0.9.1 uses the wrong argument for a sizeof call, which causes incorrect processing of "security manager private data" that "reopens disk probing" and might allow guest OS users to read arbitrary files on the host OS. NOTE: this vulnerability exists because of a CVE-

CVE-2011-2511 [MEDIUM] CVE-2011-2511: libvirt - Integer overflow in libvirt before 0.9.3 allows remote authenticated users to ca... Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption. Scope: local bookworm: resolved (fixed in 0.9.2-7) bullseye: resolved (fixed in 0.9.2-7) forky: resolved (fixed in 0.9.2-7) sid: resolved

CVE-2011-1146 [HIGH] CVE-2011-1146: libvirt - libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restrict operati... libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restrict operations in a read-only connection, which allows remote attackers to cause a denial of service (host OS crash) or possibly execute arbitrary code via a (1) virNodeDeviceDettach, (2) virNodeDeviceReset, (3) virDomainRevertToSnapshot, (4) virDomainSnapshotDelete, (5) virNodeDeviceReAttach, or (6)

CVE-2011-4600 [MEDIUM] CVE-2011-4600: libvirt - The networkReloadIptablesRules function in network/bridge_driver.c in libvirt be... The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query. Scope: local bookworm: resolved (fixed in 0.9.9-1) bullseye: resolved (fixed in 0.9