libvirt.so is vulnerable to an out-of-bounds read. An attacker will be able to cause a denial of service condition or read sensitive heap information using a crafted blkiotune
query when a disk is hot-plugged to the live definition. The qemuDomainGetBlockIoTune
function in qemu/qemu_driver.c
computes an index into the array of disks for the live definition then use it as the index for the persistent definition. This does not necessarily result in the same length which would lead to the out-of-bounds read.
libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
libvirt.org/git/?p=libvirt.git;a=commitdiff;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
lists.opensuse.org/opensuse-updates/2014-10/msg00014.html
lists.opensuse.org/opensuse-updates/2014-10/msg00017.html
rhn.redhat.com/errata/RHSA-2014-1352.html
secunia.com/advisories/60291
secunia.com/advisories/60895
security.gentoo.org/glsa/glsa-201412-04.xml
security.libvirt.org/2014/0004.html
www.debian.org/security/2014/dsa-3038
www.ubuntu.com/usn/USN-2366-1
access.redhat.com/errata/RHSA-2014:1352
access.redhat.com/errata/RHSA-2014:1873
access.redhat.com/security/cve/CVE-2014-3633
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1141131
rhn.redhat.com/errata/RHSA-2014-1873.html