libvirt/244e0b8c-CVE-2013-2218.patch

commit 244e0b8cf15ca2ef48d82058e728656e6c4bad11
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Jun 28 13:21:33 2013 +0100

    Crash of libvirtd by unprivileged user in virConnectListAllInterfaces
    
    On Thu, Jun 27, 2013 at 03:56:42PM +0100, Daniel P. Berrange wrote:
    > Hi Security Team,
    >
    > I've discovered a way for an unprivileged user with a readonly connection
    > to libvirtd, to crash the daemon.
    
    Ok, the final patch for this is issue will be the simpler variant that
    Eric suggested
    
    The embargo can be considered to be lifted on Monday July 1st, at
    0900 UTC
    
    The following is the GIT change that DV or myself will apply to libvirt
    GIT master immediately before the 1.1.0 release:
    
    >From 177b4165c531a4b3ba7f6ab6aa41dca9ceb0b8cf Mon Sep 17 00:00:00 2001
    From: "Daniel P. Berrange" <berrange@redhat.com>
    Date: Fri, 28 Jun 2013 10:48:37 +0100
    Subject: [PATCH] CVE-2013-2218: Fix crash listing network interfaces with
     filters
    
    The virConnectListAllInterfaces method has a double-free of the
    'struct netcf_if' object when any of the filtering flags cause
    an interface to be skipped over. For example when running the
    command 'virsh iface-list --inactive'
    
    This is a regression introduced in release 1.0.6 by
    
      commit 7ac2c4fe624f30f2c8270116513fa2ddab07631f
      Author: Guannan Ren <gren@redhat.com>
      Date:   Tue May 21 21:29:38 2013 +0800
    
        interface: list all interfaces with flags == 0
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-1.0.6/src/interface/interface_backend_netcf.c
===================================================================
--- libvirt-1.0.6.orig/src/interface/interface_backend_netcf.c
+++ libvirt-1.0.6/src/interface/interface_backend_netcf.c
@@ -365,6 +365,7 @@ netcfConnectListAllInterfaces(virConnect
               (MATCH(VIR_CONNECT_LIST_INTERFACES_INACTIVE) &&
                (status & NETCF_IFACE_INACTIVE)))) {
             ncf_if_free(iface);
+            iface = NULL;
             continue;
         }
- CVE-2013-2218: Fix crash listing network interfaces with filters 244e0b8c-CVE-2013-2218.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=277 2013-07-01 17:28:09 +02:00			`commit 244e0b8cf15ca2ef48d82058e728656e6c4bad11`
			`Author: Daniel P. Berrange <berrange@redhat.com>`
			`Date: Fri Jun 28 13:21:33 2013 +0100`

			`Crash of libvirtd by unprivileged user in virConnectListAllInterfaces`

			`On Thu, Jun 27, 2013 at 03:56:42PM +0100, Daniel P. Berrange wrote:`
			`> Hi Security Team,`
			`>`
			`> I've discovered a way for an unprivileged user with a readonly connection`
			`> to libvirtd, to crash the daemon.`

			`Ok, the final patch for this is issue will be the simpler variant that`
			`Eric suggested`

			`The embargo can be considered to be lifted on Monday July 1st, at`
			`0900 UTC`

			`The following is the GIT change that DV or myself will apply to libvirt`
			`GIT master immediately before the 1.1.0 release:`

			`>From 177b4165c531a4b3ba7f6ab6aa41dca9ceb0b8cf Mon Sep 17 00:00:00 2001`
			`From: "Daniel P. Berrange" <berrange@redhat.com>`
			`Date: Fri, 28 Jun 2013 10:48:37 +0100`
			`Subject: [PATCH] CVE-2013-2218: Fix crash listing network interfaces with`
			`filters`

			`The virConnectListAllInterfaces method has a double-free of the`
			`'struct netcf_if' object when any of the filtering flags cause`
			`an interface to be skipped over. For example when running the`
			`command 'virsh iface-list --inactive'`

			`This is a regression introduced in release 1.0.6 by`

			`commit 7ac2c4fe624f30f2c8270116513fa2ddab07631f`
			`Author: Guannan Ren <gren@redhat.com>`
			`Date: Tue May 21 21:29:38 2013 +0800`

			`interface: list all interfaces with flags == 0`

			`Signed-off-by: Daniel P. Berrange <berrange@redhat.com>`

			`Index: libvirt-1.0.6/src/interface/interface_backend_netcf.c`
			`===================================================================`
			`--- libvirt-1.0.6.orig/src/interface/interface_backend_netcf.c`
			`+++ libvirt-1.0.6/src/interface/interface_backend_netcf.c`
			`@@ -365,6 +365,7 @@ netcfConnectListAllInterfaces(virConnect`
			`(MATCH(VIR_CONNECT_LIST_INTERFACES_INACTIVE) &&`
			`(status & NETCF_IFACE_INACTIVE)))) {`
			`ncf_if_free(iface);`
			`+ iface = NULL;`
			`continue;`
			`}`