Bug#734556: marked as done (libvirt: CVE-2013-6458: qemu: job usage issue in several APIs leading to libvirtd crash)

[Debian Bug Tracking System]

Your message dated Tue, 21 Jan 2014 21:17:31 +0000
with message-id <e1w5ihp-0001ic...@franck.debian.org>
and subject line Bug#734556: fixed in libvirt 0.9.12.3-1
has caused the Debian Bug report #734556,
regarding libvirt: CVE-2013-6458: qemu: job usage issue in several APIs leading 
to libvirtd crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
734556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libvirt
Severity: grave
Tags: security upstream patch fixed-upstream

Hi Guido,

Disclaimer: I have not checked to reproduce the crash, just shortly
checked latest unstable version. Have set grave as per "[...] could
allow an attacker who is able to establish a read-only connection to
libvirtd to crash libvirtd".

the following vulnerability was published for libvirt.

CVE-2013-6458[0]:
job usage issue in several APIs leading to libvirtd crash

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6458
    http://security-tracker.debian.org/tracker/CVE-2013-6458
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1048631
[2] 
http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad
    (upstream fix)

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libvirt
Source-Version: 0.9.12.3-1

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <a...@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Jan 2014 11:05:59 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt
Architecture: source all i386
Version: 0.9.12.3-1
Distribution: stable-security
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Guido Günther <a...@sigxcpu.org>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
 python-libvirt - libvirt Python bindings
Closes: 729331 734556
Changes: 
 libvirt (0.9.12.3-1) stable-security; urgency=medium
 .
   * [0a01d0a] New upstream version 0.9.12.3
     Fixes CVE-2013-6458 and CVE-2014-1447
     (Closes: #734556)
   * [43817d5] Don't fail chmod/chdir if a file doesn't exist.
   * [753faf6] Check correct dirs for existence (Closes: #729331)
   * [3ed9278] Update symbols
 .
 libvirt (0.9.12.2-1) wheezy-proposed-updates; urgency=low
 .
   * [77a7135] Adjust gbp.conf for Wheezy point releases
   * [b457e3f] New upstream version 0.9.12.1
   * [ae6e265] New upstream version 0.9.12.2
   * [2d07b5c] Drop patches fixed upstream.
         Include-stdint.h-for-uint32_t.patch
         Revert-rpc-Discard-non-blocking-calls-only-when-nece.patch
         fix-leak-virStorageBackendLogicalMakeVol.patch
         qemu-Add-support-for-no-user-config.patch
         qemu-Fix-off-by-one-error-while-unescaping-monitor-s.patch
         rpc-Fix-crash-on-error-paths-of-message-dispatching.patch
         security/CVE-2012-3445.patch
         security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
         security/security-Fix-libvirtd-crash-possibility.patch
         upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
         upstream/Fix-race-condition-when-destroying-guests.patch
Checksums-Sha1: 
 fe62aa19c8610e2eb6297479ecfea650423a9fa4 2290 libvirt_0.9.12.3-1.dsc
 73e72812a3d3c1a096b515dc01803bdbff7c595a 19576862 libvirt_0.9.12.3.orig.tar.gz
 f2fc688790c8ddc2a78ffda44a19b2184360d48d 37957 libvirt_0.9.12.3-1.debian.tar.gz
 53de06026213246da78804bf8e581f2cb314cd4c 2190468 libvirt-doc_0.9.12.3-1_all.deb
 371e0c3b63aae1fd15ec7171f57a95312e74c160 2500248 
libvirt-bin_0.9.12.3-1_i386.deb
 7a4fc2bd552e88672394cb00326b4dbf6f2ad643 2135130 libvirt0_0.9.12.3-1_i386.deb
 b21540107d1b2ee816f2c3695f5798ffa0ba61b2 7851842 
libvirt0-dbg_0.9.12.3-1_i386.deb
 42807187658e88a3cd9434cd76908417efe9e670 2514934 
libvirt-dev_0.9.12.3-1_i386.deb
 162fe6e4944e33baa72f088f3db306cfacc1f10b 1432330 
python-libvirt_0.9.12.3-1_i386.deb
Checksums-Sha256: 
 98ef20adac7c3b2b0c1174a57c0b6aeb24a95ed4b1f2d4b4d61f09bb5eee598a 2290 
libvirt_0.9.12.3-1.dsc
 404afb7fdd23d8f36645cffc77fecfed40d60617f8bcae707ac3b9f7925fc0fb 19576862 
libvirt_0.9.12.3.orig.tar.gz
 6b6123ef81c63b0c443965784581fad9a315f76731fbef885b786abffa42643c 37957 
libvirt_0.9.12.3-1.debian.tar.gz
 82f1888ff877ce6c6843e1985ca3d854185186c926494adbd9fd8394d6c30ccf 2190468 
libvirt-doc_0.9.12.3-1_all.deb
 bfa06a08cb3a01e06186833985707b6c3d651eae29a394cba3e6b6a47b185233 2500248 
libvirt-bin_0.9.12.3-1_i386.deb
 62b4b81befa01db6fb042173f13087fafc75850c0d50acf1f2bb3ccd8fd1cc8b 2135130 
libvirt0_0.9.12.3-1_i386.deb
 dde1ec326bc050a3ea3a74f5ea5fda2530e43aecd0bf504d071892685c1fb8bb 7851842 
libvirt0-dbg_0.9.12.3-1_i386.deb
 3f9abeae8209af2a6df60a3050eabf24bc29257c8f9a9e19f9f916bdd61c6c82 2514934 
libvirt-dev_0.9.12.3-1_i386.deb
 99f6d25202997a77dad95312f8e54919c2250147036d14943dd146e49f819105 1432330 
python-libvirt_0.9.12.3-1_i386.deb
Files: 
 f84d1e8622b2b1f3a04d2100fea044af 2290 libs optional libvirt_0.9.12.3-1.dsc
 0f596bceec120df4cd5aecb8f0128d5d 19576862 libs optional 
libvirt_0.9.12.3.orig.tar.gz
 fb20bdca06c39f20b062fd15a03e4490 37957 libs optional 
libvirt_0.9.12.3-1.debian.tar.gz
 f1169e17159ae16860318710276a6b75 2190468 doc optional 
libvirt-doc_0.9.12.3-1_all.deb
 bcf0058d65185c0fb39431f09ada8d8a 2500248 admin optional 
libvirt-bin_0.9.12.3-1_i386.deb
 df5b3860600ca2d4972d86d8b3d9bdab 2135130 libs optional 
libvirt0_0.9.12.3-1_i386.deb
 20e4fb90d342a6fd9a9b1337bae33fde 7851842 debug extra 
libvirt0-dbg_0.9.12.3-1_i386.deb
 8525d062646d5782855c289086070250 2514934 libdevel optional 
libvirt-dev_0.9.12.3-1_i386.deb
 25131a9f7e3f6b681c4d4f647e389465 1432330 python optional 
python-libvirt_0.9.12.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFS2Fbkn88szT8+ZCYRAmPUAJ9w4AQDJdRuauPAyyhGcHjCGwaWEACfRgMP
fz6S7i0qXXYr19S9A83Viks=
=KFx/
-----END PGP SIGNATURE-----

--- End Message ---