Lucene search

Gentoo FoundationMGASA-2024-0114

HistoryApr 07, 2024 - 1:16 a.m.

Updated libvirt packages fix security vulnerability

2024-04-0701:16:44

Gentoo Foundation

advisories.mageia.org

libvirt

rpc

deserialization

vulnerability

denial of service

crash

cve-2024-2494

unix

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

26.8%

JSON

A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash. (CVE-2024-2494)

OSVersionArchitecturePackageVersionFilename
Mageia9noarchlibvirt< 9.6.0-1.1libvirt-9.6.0-1.1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	9	noarch	libvirt	< 9.6.0-1.1	libvirt-9.6.0-1.1.mga9

References

bugs.mageia.org/show_bug.cgi?id=33047

lwn.net/Articles/967956/

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

26.8%

JSON

Related for MGASA-2024-0114