libvirt/e7f400a1-CVE-2013-4296.patch

commit e7f400a110e2e3673b96518170bfea0855dd82c0
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Tue Sep 3 16:52:06 2013 +0100

    Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
    
    The 'stats' variable was not initialized to NULL, so if some
    early validation of the RPC call fails, it is possible to jump
    to the 'cleanup' label and VIR_FREE an uninitialized pointer.
    This is a security flaw, since the API can be called from a
    readonly connection which can trigger the validation checks.
    
    This was introduced in release v0.9.1 onwards by
    
      commit 158ba8730e44b7dd07a21ab90499996c5dec080a
      Author: Daniel P. Berrange <berrange@redhat.com>
      Date:   Wed Apr 13 16:21:35 2011 +0100
    
        Merge all returns paths from dispatcher into single path
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe
                                 remote_domain_memory_stats_ret *ret)
 {
     virDomainPtr dom = NULL;
-    struct _virDomainMemoryStat *stats;
+    struct _virDomainMemoryStat *stats = NULL;
     int nr_stats;
     size_t i;
     int rv = -1;
- Add support for using 3-arg pkcheck syntax for process db7a5688-CVE-2013-4311.patch, e65667c0-CVE-2013-4311.patch, 922b7fda-CVE-2013-4311.patch, e4697b92-CVE-2013-4311.patch bnc#836931 - CVE-2013-4296: Fix crash in remoteDispatchDomainMemoryStats e7f400a1-CVE-2013-4296.patch bnc#838638 - CVE-2013-4297: Fix crash in virFileNBDDeviceAssociate 2dba0323-CVE-2013-4297.patch bnc#838642 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=299 2013-10-02 18:20:46 +02:00			`commit e7f400a110e2e3673b96518170bfea0855dd82c0`
			`Author: Daniel P. Berrange <berrange@redhat.com>`
			`Date: Tue Sep 3 16:52:06 2013 +0100`

			`Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)`

			`The 'stats' variable was not initialized to NULL, so if some`
			`early validation of the RPC call fails, it is possible to jump`
			`to the 'cleanup' label and VIR_FREE an uninitialized pointer.`
			`This is a security flaw, since the API can be called from a`
			`readonly connection which can trigger the validation checks.`

			`This was introduced in release v0.9.1 onwards by`

			`commit 158ba8730e44b7dd07a21ab90499996c5dec080a`
			`Author: Daniel P. Berrange <berrange@redhat.com>`
			`Date: Wed Apr 13 16:21:35 2011 +0100`

			`Merge all returns paths from dispatcher into single path`

			`Signed-off-by: Daniel P. Berrange <berrange@redhat.com>`

			`Index: libvirt-1.1.2/daemon/remote.c`
			`===================================================================`
			`--- libvirt-1.1.2.orig/daemon/remote.c`
			`+++ libvirt-1.1.2/daemon/remote.c`
			`@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetSe`
			`remote_domain_memory_stats_ret *ret)`
			`{`
			`virDomainPtr dom = NULL;`
			`- struct _virDomainMemoryStat *stats;`
			`+ struct _virDomainMemoryStat *stats = NULL;`
			`int nr_stats;`
			`size_t i;`
			`int rv = -1;`