Arch Linux Security Advisory ASA-201409-5 ========================================= Severity: Medium Date : 2014-09-29 CVE-ID : CVE-3633 Package : libvirt Type : out-of-bounds read access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libvirt before version 1.2.8-2 is vulnerable to an out-of-bounds read access in qemuDomainGetBlockIoTune().. Resolution ========== Upgrade to 1.2.8-2. # pacman -Syu "libvirt>=1.2.8-2" The problem has been fixed upstream [0] but no release is available yet. Workaround ========== The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem. Description =========== Luyao Huang of Red Hat found that the qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition, which could result into an out-of-bounds read access in qemuDomainGetBlockIoTune(). Impact ====== A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. References ========== [0] http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e745e8f775dfe6f64f18b5c2fe... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633 http://security.libvirt.org/2014/0004.html https://bugs.archlinux.org/task/42159