[Pkg-libvirt-commits] [libvirt] 01/02: CVE-2013-4296: Fix crash in remoteDispatchDomainMemoryStats

[Guido Guenther]

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/0.9.12-11+deb7u4
in repository libvirt.

commit e91a86ad1b9d839d430074155db6fdb5f2dc3979
Author: Guido Günther <agx at sigxcpu.org>
Date:   Mon Sep 9 13:11:04 2013 +0200

    CVE-2013-4296: Fix crash in remoteDispatchDomainMemoryStats
    
    Thanks: "Daniel P. Berrange"
---
 ...-crash-in-remoteDispatchDomainMemoryStats.patch |   37 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 2 files changed, 38 insertions(+)

diff --git a/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch b/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
new file mode 100644
index 0000000..32004a2
--- /dev/null
+++ b/debian/patches/security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch
@@ -0,0 +1,37 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Mon, 9 Sep 2013 13:08:20 +0200
+Subject: Fix crash in remoteDispatchDomainMemoryStats
+
+The 'stats' variable was not initialized to NULL, so if some
+early validation of the RPC call fails, it is possible to jump
+to the 'cleanup' label and VIR_FREE an uninitialized pointer.
+This is a security flaw, since the API can be called from a
+readonly connection which can trigger the validation checks.
+
+This was introduced in release v0.9.1 onwards by
+
+  commit 158ba8730e44b7dd07a21ab90499996c5dec080a
+  Author: Daniel P. Berrange <berrange at redhat.com>
+  Date:   Wed Apr 13 16:21:35 2011 +0100
+
+    Merge all returns paths from dispatcher into single path
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+
+---
+ daemon/remote.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 4ece019..7d72b0a 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1060,7 +1060,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
+                                 remote_domain_memory_stats_ret *ret)
+ {
+     virDomainPtr dom = NULL;
+-    struct _virDomainMemoryStat *stats;
++    struct _virDomainMemoryStat *stats = NULL;
+     int nr_stats, i;
+     int rv = -1;
+     struct daemonClientPrivate *priv =
diff --git a/debian/patches/series b/debian/patches/series
index 60bcbee..d94c3a3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ debian/Allow-xen-toolstack-to-find-it-s-binaries.patch
 fix-leak-virStorageBackendLogicalMakeVol.patch
 upstream/Fix-libvirtd-crash-when-destroying-a-domain-with-att.patch
 upstream/Fix-race-condition-when-destroying-guests.patch
+security/Fix-crash-in-remoteDispatchDomainMemoryStats.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git