Redhat Libvirt vulnerabilities

CVE-2013-4400 [HIGH] CWE-264 CVE-2013-4400: virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to overwrite arbitrary files and virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to overwrite arbitrary files and possibly gain privileges via unspecified environment variables or command-line arguments.

CVE-2013-4401 [HIGH] CWE-264 CVE-2013-4401: The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:r The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information.

CVE-2013-4311 [MEDIUM] CVE-2013-4311: libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x before 0.9.12.2 allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition in pkcheck via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

CVE-2013-5651 [MEDIUM] CWE-119 CVE-2013-5651: The virBitmapParse function in util/virbitmap.c in libvirt before 1.1.2 allows context-dependent att The virBitmapParse function in util/virbitmap.c in libvirt before 1.1.2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a crafted bitmap, as demonstrated by a large nodeset value to numatune.

CVE-2013-4153 [MEDIUM] CWE-399 CVE-2013-4153: Double free vulnerability in the qemuAgentGetVCPUs function in qemu/qemu_agent.c in libvirt 1.0.6 th Double free vulnerability in the qemuAgentGetVCPUs function in qemu/qemu_agent.c in libvirt 1.0.6 through 1.1.0 allows remote attackers to cause a denial of service (daemon crash) via a cpu count request, as demonstrated by the "virsh vcpucount dom --guest" command.

CVE-2013-4239 [MEDIUM] CWE-119 CVE-2013-4239: The xenDaemonListDefinedDomains function in xen/xend_internal.c in libvirt 1.1.1 allows remote authe The xenDaemonListDefinedDomains function in xen/xend_internal.c in libvirt 1.1.1 allows remote authenticated users to cause a denial of service (memory corruption and crash) via vectors involving the virConnectListDefinedDomains API function.

CVE-2013-2218 [MEDIUM] CWE-399 CVE-2013-2218: Double free vulnerability in the virConnectListAllInterfaces method in interface/interface_backend_n Double free vulnerability in the virConnectListAllInterfaces method in interface/interface_backend_netcf.c in libvirt 1.0.6 allows remote attackers to cause a denial of service (libvirtd crash) via a filtering flag that causes an interface to be skipped, as demonstrated by the "virsh iface-list --inactive" command.

CVE-2013-4291 [MEDIUM] CWE-264 CVE-2013-4291: The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the dom The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1.0.5.5, and 1.1.1, when the domain has read an uid:gid label, does not properly set group memberships, which allows local users to gain privileges.

CVE-2013-2230 [MEDIUM] CWE-20 CVE-2013-2230: The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to ca The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via unspecified vectors involving "multiple events registration."

CVE-2013-4296 [MEDIUM] CWE-119 CVE-2013-4296: The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0 The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0.10.2.x before 0.10.2.8, 1.0.x before 1.0.5.6, and 1.1.x before 1.1.2 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a crafted RPC call.

CVE-2013-4297 [MEDIUM] CWE-119 CVE-2013-4297: The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via unspecified vectors.

CVE-2013-4154 [MEDIUM] CVE-2013-4154: The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command.

CVE-2013-4292 [LOW] CWE-399 CVE-2013-4292: libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a l libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of service (memory consumption) via a large number of domain migrate parameters in certain RPC calls in (1) daemon/remote.c and (2) remote/remote_driver.c.

CVE-2013-1962 [MEDIUM] CWE-399 CVE-2013-1962: The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 al The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of requests "to list all volumes for the particular pool."

CVE-2013-1766 [LOW] CWE-264 CVE-2013-1766: libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to write to these files via unspecified vectors.

CVE-2013-0170 [MEDIUM] CWE-416 CVE-2013-0170: Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvir Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which

CVE-2012-4423 [MEDIUM] CVE-2012-4423: The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cau The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table.

CVE-2012-3445 [LOW] CWE-399 CVE-2012-3445: The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API c The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API calls with typed parameters, which might allow remote authenticated users to cause a denial of service (libvirtd crash) via an RPC command with nparams set to zero, which triggers an out-of-bounds read or a free of an invalid pointer.

CVE-2012-2693 [LOW] CWE-264 CVE-2012-2693: libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multi libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices.

CVE-2011-2511 [MEDIUM] CWE-189 CVE-2011-2511: Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of serv Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption.