Hello community, here is the log from the commit of package libvirt for openSUSE:12.2 checked in at 2012-08-04 13:22:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/libvirt (Old) and /work/SRC/openSUSE:12.2/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.2/libvirt/libvirt.changes 2012-07-12 10:48:18.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.libvirt.new/libvirt.changes 2012-08-04 13:23:28.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Aug 1 11:42:58 MDT 2012 - [email protected] + +- daemon: Fix crash in virTypedParameterArrayClear + CVE-2012-3445 + 6039a2cb-CVE-2012-3445.patch + bnc#773955 + +------------------------------------------------------------------- New: ---- 6039a2cb-CVE-2012-3445.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.M9E3tz/_old 2012-08-04 13:23:55.000000000 +0200 +++ /var/tmp/diff_new_pack.M9E3tz/_new 2012-08-04 13:23:55.000000000 +0200 @@ -416,6 +416,7 @@ Patch2: 0dda594d-libvirtd-shutdown-deadlock.patch Patch3: 9c77bf04-fix-virnetserver-refcnt.patch Patch4: 4036aa91-systemd.patch +Patch5: 6039a2cb-CVE-2012-3445.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -556,6 +557,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch100 -p1 %patch101 %patch102 -p1 ++++++ 6039a2cb-CVE-2012-3445.patch ++++++ commit 6039a2cb49c8af4c68460d2faf365a7e1c686c7b Author: Jiri Denemark <[email protected]> Date: Mon Jul 30 12:14:54 2012 +0200 daemon: Fix crash in virTypedParameterArrayClear Daemon uses the following pattern when dispatching APIs with typed parameters: VIR_ALLOC_N(params, nparams); virDomain*(dom, params, &nparams, flags); virTypedParameterArrayClear(params, nparams); In case nparams was originally set to 0, virDomain* API would fill it with the number of typed parameters it can provide and we would use this number (rather than zero) to clear params. Because VIR_ALLOC* returns non-NULL pointer even if size is 0, the code would end up walking through random memory. If we were lucky enough and the memory contained 7 (VIR_TYPED_PARAM_STRING) at the right place, we would try to free a random pointer and crash. Let's make sure params stays NULL when nparams is 0. Index: libvirt-0.9.11.4/daemon/remote.c =================================================================== --- libvirt-0.9.11.4.orig/daemon/remote.c +++ libvirt-0.9.11.4/daemon/remote.c @@ -964,7 +964,7 @@ remoteDispatchDomainGetSchedulerParamete virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) + if (nparams && VIR_ALLOC_N(params, nparams) < 0) goto no_memory; if (!(dom = get_nonnull_domain(priv->conn, args->dom))) @@ -1019,7 +1019,7 @@ remoteDispatchDomainGetSchedulerParamete virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) + if (nparams && VIR_ALLOC_N(params, nparams) < 0) goto no_memory; if (!(dom = get_nonnull_domain(priv->conn, args->dom))) @@ -1200,7 +1200,7 @@ remoteDispatchDomainBlockStatsFlags(virN virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } @@ -1674,7 +1674,7 @@ remoteDispatchDomainGetMemoryParameters( virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } @@ -1739,7 +1739,7 @@ remoteDispatchDomainGetNumaParameters(vi virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } @@ -1804,7 +1804,7 @@ remoteDispatchDomainGetBlkioParameters(v virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } @@ -2064,7 +2064,7 @@ remoteDispatchDomainGetBlockIoTune(virNe goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } @@ -3563,7 +3563,7 @@ remoteDispatchDomainGetInterfaceParamete virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); goto cleanup; } - if (VIR_ALLOC_N(params, nparams) < 0) { + if (nparams && VIR_ALLOC_N(params, nparams) < 0) { virReportOOMError(); goto cleanup; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
