Peter Krempa wrote: > On 01/28/13 19:58, Eric Blake wrote: >> On 01/28/2013 11:35 AM, Peter Krempa wrote: >>> When reading and dispatching of a message failed the message was freed >>> but wasn't removed from the message queue. >>> >>> After that when the connection was about to be closed the pointer for >>> the message was still present in the queue and it was passed to >>> virNetMessageFree which tried to call the callback function from an >>> uninitialized pointer. >>> >>> This patch removes the message from the queue before it's freed. >> >> Mention CVE-2013-0170 in the commit message, now that it is public: >> https://bugzilla.redhat.com/show_bug.cgi?id=893450 >> >>> >>> * rpc/virnetserverclient.c: virNetServerClientDispatchRead: >>> - avoid use after free of RPC messages >>> --- >>> src/rpc/virnetserverclient.c | 3 +++ >>> 1 file changed, 3 insertions(+) >> >> ACK. Looks like we need this on {v0.10.2,v0.9.11,v0.9.6}-maint as well. > > Thanks. I added the CVE notice and pushed to upstream and the v0.10.2 > and v0.9.11 maint branches. v0.9.6 is not vulnerable. The problem was > introduced in 0.9.7
Hi Peter, Looks like 0.9.6 was vulnerable since this made its way to the v0.9.6-maint branch as well. Do you happen to know when this was introduced? Thanks, Jim -- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
