CVE-2013-6458

Publication date 24 January 2014

Last updated 24 July 2024

Ubuntu priority

Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libvirt	13.10 saucy	Fixed 1.1.1-0ubuntu8.5
	13.04 raring	Ignored
	12.10 quantal	Fixed 0.9.13-0ubuntu12.6
	12.04 LTS precise	Fixed 0.9.8-2ubuntu17.17
	10.04 LTS lucid	Not affected

Notes

mdeslaur

code in lucid is different, looks ok

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libvirt	Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=b799259583bd65c0b2f5042e6c3ff19637ade881 Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f93d2caa070f6197ab50d372d286018b0ba6bbd8 Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ff5f30b6bfa317f2a4c33f69289baf4e887eb048 Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=3b56425938e2f97208d5918263efa0d6439e4ecd Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c430c002dd8287c5d7b834993ddfbd61435248c4 Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=4dd29d3bdf4bf3a4c4b1077ddf4355bcf548ca2f Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e7d9e54e9ce286fe1bee5d32089cd58d63e5cee Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=2786686eb5855e0046817d47055cd784881ca8cb

Package

Patch details

libvirt

References

Related Ubuntu Security Notices (USN)

USN-2093-1
libvirt vulnerabilities
30 January 2014

Other references

https://www.cve.org/CVERecord?id=CVE-2013-6458