ID CVE-2011-2511
Summary Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption.
References
Vulnerable Configurations
  • Red Hat libvirt 0.8.7
    cpe:2.3:a:redhat:libvirt:0.8.7
  • Red Hat libvirt 0.8.6
    cpe:2.3:a:redhat:libvirt:0.8.6
  • Red Hat libvirt 0.8.5
    cpe:2.3:a:redhat:libvirt:0.8.5
  • Red Hat libvirt 0.8.4
    cpe:2.3:a:redhat:libvirt:0.8.4
  • Red Hat libvirt 0.8.3
    cpe:2.3:a:redhat:libvirt:0.8.3
  • Red Hat libvirt 0.8.2
    cpe:2.3:a:redhat:libvirt:0.8.2
  • Red Hat libvirt 0.8.1
    cpe:2.3:a:redhat:libvirt:0.8.1
  • Red Hat libvirt 0.8.0
    cpe:2.3:a:redhat:libvirt:0.8.0
  • Red Hat libvirt 0.7.7
    cpe:2.3:a:redhat:libvirt:0.7.7
  • Red Hat libvirt 0.7.6
    cpe:2.3:a:redhat:libvirt:0.7.6
  • Red Hat libvirt 0.7.5
    cpe:2.3:a:redhat:libvirt:0.7.5
  • Red Hat libvirt 0.7.4
    cpe:2.3:a:redhat:libvirt:0.7.4
  • Red Hat libvirt 0.7.3
    cpe:2.3:a:redhat:libvirt:0.7.3
  • Red Hat libvirt 0.7.2
    cpe:2.3:a:redhat:libvirt:0.7.2
  • Red Hat libvirt 0.7.1
    cpe:2.3:a:redhat:libvirt:0.7.1
  • Red Hat libvirt 0.7.0
    cpe:2.3:a:redhat:libvirt:0.7.0
  • Red Hat libvirt 0.0.1
    cpe:2.3:a:redhat:libvirt:0.0.1
  • Red Hat libvirt 0.0.2
    cpe:2.3:a:redhat:libvirt:0.0.2
  • Red Hat libvirt 0.0.3
    cpe:2.3:a:redhat:libvirt:0.0.3
  • Red Hat libvirt 0.0.4
    cpe:2.3:a:redhat:libvirt:0.0.4
  • Red Hat libvirt 0.0.5
    cpe:2.3:a:redhat:libvirt:0.0.5
  • Red Hat libvirt 0.0.6
    cpe:2.3:a:redhat:libvirt:0.0.6
  • Red Hat libvirt 0.1.0
    cpe:2.3:a:redhat:libvirt:0.1.0
  • Red Hat libvirt 0.1.1
    cpe:2.3:a:redhat:libvirt:0.1.1
  • Red Hat libvirt 0.1.3
    cpe:2.3:a:redhat:libvirt:0.1.3
  • Red Hat libvirt 0.1.4
    cpe:2.3:a:redhat:libvirt:0.1.4
  • Red Hat libvirt 0.1.5
    cpe:2.3:a:redhat:libvirt:0.1.5
  • Red Hat libvirt 0.1.6
    cpe:2.3:a:redhat:libvirt:0.1.6
  • Red Hat libvirt 0.1.7
    cpe:2.3:a:redhat:libvirt:0.1.7
  • Red Hat libvirt 0.1.8
    cpe:2.3:a:redhat:libvirt:0.1.8
  • Red Hat libvirt 0.1.9
    cpe:2.3:a:redhat:libvirt:0.1.9
  • Red Hat libvirt 0.2.0
    cpe:2.3:a:redhat:libvirt:0.2.0
  • Red Hat libvirt 0.2.1
    cpe:2.3:a:redhat:libvirt:0.2.1
  • Red Hat libvirt 0.2.2
    cpe:2.3:a:redhat:libvirt:0.2.2
  • Red Hat libvirt 0.2.3
    cpe:2.3:a:redhat:libvirt:0.2.3
  • Red Hat libvirt 0.3.0
    cpe:2.3:a:redhat:libvirt:0.3.0
  • Red Hat libvirt 0.3.1
    cpe:2.3:a:redhat:libvirt:0.3.1
  • Red Hat libvirt 0.3.2
    cpe:2.3:a:redhat:libvirt:0.3.2
  • Red Hat libvirt 0.3.3
    cpe:2.3:a:redhat:libvirt:0.3.3
  • Red Hat libvirt 0.4.0
    cpe:2.3:a:redhat:libvirt:0.4.0
  • Red Hat libvirt 0.4.1
    cpe:2.3:a:redhat:libvirt:0.4.1
  • Red Hat libvirt 0.4.2
    cpe:2.3:a:redhat:libvirt:0.4.2
  • Red Hat libvirt 0.4.3
    cpe:2.3:a:redhat:libvirt:0.4.3
  • Red Hat libvirt 0.4.4
    cpe:2.3:a:redhat:libvirt:0.4.4
  • Red Hat libvirt 0.4.5
    cpe:2.3:a:redhat:libvirt:0.4.5
  • Red Hat libvirt 0.4.6
    cpe:2.3:a:redhat:libvirt:0.4.6
  • Red Hat libvirt 0.5.0
    cpe:2.3:a:redhat:libvirt:0.5.0
  • Red Hat libvirt 0.5.1
    cpe:2.3:a:redhat:libvirt:0.5.1
  • Red Hat libvirt 0.6.0
    cpe:2.3:a:redhat:libvirt:0.6.0
  • Red Hat libvirt 0.6.1
    cpe:2.3:a:redhat:libvirt:0.6.1
  • Red Hat libvirt 0.6.2
    cpe:2.3:a:redhat:libvirt:0.6.2
  • Red Hat libvirt 0.6.3
    cpe:2.3:a:redhat:libvirt:0.6.3
  • Red Hat libvirt 0.6.4
    cpe:2.3:a:redhat:libvirt:0.6.4
  • Red Hat libvirt 0.6.5
    cpe:2.3:a:redhat:libvirt:0.6.5
  • Red Hat libvirt 0.8.8
    cpe:2.3:a:redhat:libvirt:0.8.8
  • Red Hat libvirt 0.9.0
    cpe:2.3:a:redhat:libvirt:0.9.0
  • Red Hat libvirt 0.9.1
    cpe:2.3:a:redhat:libvirt:0.9.1
  • Red Hat libvirt 0.9.2
    cpe:2.3:a:redhat:libvirt:0.9.2
CVSS
Base: 4.0 (as of 11-08-2011 - 08:11)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201202-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-201202-07 (libvirt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details. Impact : These vulnerabilities allow a remote attacker to cause a Denial of Service condition on the host server or libvirt daemon, or might allow guest OS users to read arbitrary files on the host OS. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 58139
    published 2012-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58139
    title GLSA-201202-07 : libvirt: Multiple vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110823_LIBVIRT_ON_SL6_X.NASL
    description The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update also fixes the following bugs : - Previously, when the 'virsh vol-create-from' command was run on an LVM (Logical Volume Manager) storage pool, performance of the command was very low and the operation consumed an excessive amount of time. This bug has been fixed in the virStorageVolCreateXMLFrom() function, and the performance problem of the command no longer occurs. - Due to a regression, libvirt used undocumented command line options, instead of the recommended ones. Consequently, the qemu-img utility used an invalid argument while creating an encrypted volume, and the process eventually failed. With this update, the bug in the backing format of the storage back end has been fixed, and encrypted volumes can now be created as expected. - Due to a bug in the qemuAuditDisk() function, hot unplug failures were never audited, and a hot unplug success was audited as a failure. This bug has been fixed, and auditing of disk hot unplug operations now works as expected. - Previously, when a debug process was being activated, the act of preparing a debug message ended up with dereferencing a UUID (universally unique identifier) prior to the NULL argument check. Consequently, an API running the debug process sometimes terminated with a segmentation fault. With this update, a patch has been provided to address this issue, and the crashes no longer occur in the described scenario. - The libvirt library uses the 'boot=on' option to mark which disk is bootable but it only uses that option if Qemu advertises its support. The qemu-kvm utility in Scientific Linux 6.1 removed support for that option and libvirt could not use it. As a consequence, when an IDE disk was added as the second storage with a virtio disk being set up as the first one by default, the operating system tried to boot from the IDE disk rather than the virtio disk and either failed to boot with the 'No bootable disk' error message returned, or the system booted whatever operating system was on the IDE disk. With this update, the boot configuration is translated into bootindex, which provides control over which device is used for booting a guest operating system, thus fixing this bug. All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61119
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61119
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-9091.NASL
    description Fix for CVE-2011-2178, regression introduced in disk probe logic, Fix for CVE-2011-2511, integer overflow in VirDomainGetVcpus Make commandtest more robust, Add ARM to NUMA excludes Add several build and runtime dependencies to specfile Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 55561
    published 2011-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55561
    title Fedora 15 : libvirt-0.8.8-7.fc15 (2011-9091)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-9062.NASL
    description CVE-2011-2511, integer overflow in VirDomainGetVcpus Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 55656
    published 2011-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55656
    title Fedora 14 : libvirt-0.8.3-10.fc14 (2011-9062)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1197.NASL
    description Updated libvirt packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update also fixes the following bugs : * Previously, when the 'virsh vol-create-from' command was run on an LVM (Logical Volume Manager) storage pool, performance of the command was very low and the operation consumed an excessive amount of time. This bug has been fixed in the virStorageVolCreateXMLFrom() function, and the performance problem of the command no longer occurs. * Due to a regression, libvirt used undocumented command line options, instead of the recommended ones. Consequently, the qemu-img utility used an invalid argument while creating an encrypted volume, and the process eventually failed. With this update, the bug in the backing format of the storage back end has been fixed, and encrypted volumes can now be created as expected. (BZ#726617) * Due to a bug in the qemuAuditDisk() function, hot unplug failures were never audited, and a hot unplug success was audited as a failure. This bug has been fixed, and auditing of disk hot unplug operations now works as expected. (BZ#728516) * Previously, when a debug process was being activated, the act of preparing a debug message ended up with dereferencing a UUID (universally unique identifier) prior to the NULL argument check. Consequently, an API running the debug process sometimes terminated with a segmentation fault. With this update, a patch has been provided to address this issue, and the crashes no longer occur in the described scenario. (BZ#728546) * The libvirt library uses the 'boot=on' option to mark which disk is bootable but it only uses that option if Qemu advertises its support. The qemu-kvm utility in Red Hat Enterprise Linux 6.1 removed support for that option and libvirt could not use it. As a consequence, when an IDE disk was added as the second storage with a virtio disk being set up as the first one by default, the operating system tried to boot from the IDE disk rather than the virtio disk and either failed to boot with the 'No bootable disk' error message returned, or the system booted whatever operating system was on the IDE disk. With this update, the boot configuration is translated into bootindex, which provides control over which device is used for booting a guest operating system, thus fixing this bug. All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 55966
    published 2011-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55966
    title RHEL 6 : libvirt (RHSA-2011:1197)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBVIRT-7616.NASL
    description libvirtd could crash if bogus parameters where passed to the VirDomainGetVcpus call. (CVE-2011-2511)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 57222
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57222
    title SuSE 10 Security Update : libvirt (ZYPP Patch Number 7616)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110721_LIBVIRT_ON_SL5_X.NASL
    description The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update fixes the following bugs : - libvirt was rebased from version 0.6.3 to version 0.8.2 in Scientific Linux 5.6. A code audit found a minor API change that effected error messages seen by libvirt 0.8.2 clients talking to libvirt 0.7.1 – 0.7.7 (0.7.x) servers. A libvirt 0.7.x server could send VIR_ERR_BUILD_FIREWALL errors where a libvirt 0.8.2 client expected VIR_ERR_CONFIG_UNSUPPORTED errors. In other circumstances, a libvirt 0.8.2 client saw a 'Timed out during operation' message where it should see an 'Invalid network filter' error. This update adds a backported patch that allows libvirt 0.8.2 clients to interoperate with the API as used by libvirt 0.7.x servers, ensuring correct error messages are sent. - libvirt could crash if the maximum number of open file descriptors (_SC_OPEN_MAX) grew larger than the FD_SETSIZE value because it accessed file descriptors outside the bounds of the set. With this update the maximum number of open file descriptors can no longer grow larger than the FD_SETSIZE value. - A libvirt race condition was found. An array in the libvirt event handlers was accessed with a lock temporarily released. In rare cases, if one thread attempted to access this array but a second thread reallocated the array before the first thread reacquired a lock, it could lead to the first thread attempting to access freed memory, potentially causing libvirt to crash. With this update libvirt no longer refers to the old array and, consequently, behaves as expected. - Guests connected to a passthrough NIC would kernel panic if a system_reset signal was sent through the QEMU monitor. With this update you can reset such guests as expected. - When using the Xen kernel, the rpmbuild command failed on the xencapstest test. With this update you can run rpmbuild successfully when using the Xen kernel. - When a disk was hot unplugged, 'ret >= 0' was passed to the qemuAuditDisk calls in disk hotunplug operations before ret was, in fact, set to 0. As well, the error path jumped to the 'cleanup' label prematurely. As a consequence, hotunplug failures were not audited and hotunplug successes were audited as failures. This was corrected and hot unplugging checks now behave as expected. - A conflict existed between filter update locking sequences and virtual machine startup locking sequences. When a filter update occurred on one or more virtual machines, a deadlock could consequently occur if a virtual machine referencing a filter was started. This update changes and makes more flexible several qemu locking sequences ensuring this deadlock no longer occurs. - qemudDomainSaveImageStartVM closed some incoming file descriptor (fd) arguments without informing the caller. The consequent double-closes could cause Domain restoration failure. This update alters the qemudDomainSaveImageStartVM signature to prevent the double-closes. This update also adds the following enhancements : - The libvirt Xen driver now supports more than one serial port. - Enabling and disabling the High Precision Event Timer (HPET) in Xen domains is now possible. All libvirt users should install this update which addresses this vulnerability, fixes these bugs and adds these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61090
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61090
    title Scientific Linux Security Update : libvirt on SL5.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2280.NASL
    description It was discovered that libvirt, a library for interfacing with different virtualization systems, is prone to an integer overflow (CVE-2011-2511 ). Additionally, the stable version is prone to a denial of service, because its error reporting is not thread-safe (CVE-2011-1486 ).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 55625
    published 2011-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55625
    title Debian DSA-2280-1 : libvirt - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1180-1.NASL
    description Eric Blake discovered an integer overflow flaw in libvirt. A remote authenticated attacker could exploit this by sending a crafted VCPU RPC call and cause a denial of service via application crash. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 55730
    published 2011-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55730
    title Ubuntu 10.04 LTS / 10.10 / 11.04 : libvirt vulnerability (USN-1180-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1197.NASL
    description From Red Hat Security Advisory 2011:1197 : Updated libvirt packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update also fixes the following bugs : * Previously, when the 'virsh vol-create-from' command was run on an LVM (Logical Volume Manager) storage pool, performance of the command was very low and the operation consumed an excessive amount of time. This bug has been fixed in the virStorageVolCreateXMLFrom() function, and the performance problem of the command no longer occurs. * Due to a regression, libvirt used undocumented command line options, instead of the recommended ones. Consequently, the qemu-img utility used an invalid argument while creating an encrypted volume, and the process eventually failed. With this update, the bug in the backing format of the storage back end has been fixed, and encrypted volumes can now be created as expected. (BZ#726617) * Due to a bug in the qemuAuditDisk() function, hot unplug failures were never audited, and a hot unplug success was audited as a failure. This bug has been fixed, and auditing of disk hot unplug operations now works as expected. (BZ#728516) * Previously, when a debug process was being activated, the act of preparing a debug message ended up with dereferencing a UUID (universally unique identifier) prior to the NULL argument check. Consequently, an API running the debug process sometimes terminated with a segmentation fault. With this update, a patch has been provided to address this issue, and the crashes no longer occur in the described scenario. (BZ#728546) * The libvirt library uses the 'boot=on' option to mark which disk is bootable but it only uses that option if Qemu advertises its support. The qemu-kvm utility in Red Hat Enterprise Linux 6.1 removed support for that option and libvirt could not use it. As a consequence, when an IDE disk was added as the second storage with a virtio disk being set up as the first one by default, the operating system tried to boot from the IDE disk rather than the virtio disk and either failed to boot with the 'No bootable disk' error message returned, or the system booted whatever operating system was on the IDE disk. With this update, the boot configuration is translated into bootindex, which provides control over which device is used for booting a guest operating system, thus fixing this bug. All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68333
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68333
    title Oracle Linux 6 : libvirt (ELSA-2011-1197)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1019.NASL
    description Updated libvirt packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update fixes the following bugs : * libvirt was rebased from version 0.6.3 to version 0.8.2 in Red Hat Enterprise Linux 5.6. A code audit found a minor API change that effected error messages seen by libvirt 0.8.2 clients talking to libvirt 0.7.1 - 0.7.7 (0.7.x) servers. A libvirt 0.7.x server could send VIR_ERR_BUILD_FIREWALL errors where a libvirt 0.8.2 client expected VIR_ERR_CONFIG_UNSUPPORTED errors. In other circumstances, a libvirt 0.8.2 client saw a 'Timed out during operation' message where it should see an 'Invalid network filter' error. This update adds a backported patch that allows libvirt 0.8.2 clients to interoperate with the API as used by libvirt 0.7.x servers, ensuring correct error messages are sent. (BZ#665075) * libvirt could crash if the maximum number of open file descriptors (_SC_OPEN_MAX) grew larger than the FD_SETSIZE value because it accessed file descriptors outside the bounds of the set. With this update the maximum number of open file descriptors can no longer grow larger than the FD_SETSIZE value. (BZ#665549) * A libvirt race condition was found. An array in the libvirt event handlers was accessed with a lock temporarily released. In rare cases, if one thread attempted to access this array but a second thread reallocated the array before the first thread reacquired a lock, it could lead to the first thread attempting to access freed memory, potentially causing libvirt to crash. With this update libvirt no longer refers to the old array and, consequently, behaves as expected. (BZ#671569) * Guests connected to a passthrough NIC would kernel panic if a system_reset signal was sent through the QEMU monitor. With this update you can reset such guests as expected. (BZ#689880) * When using the Xen kernel, the rpmbuild command failed on the xencapstest test. With this update you can run rpmbuild successfully when using the Xen kernel. (BZ#690459) * When a disk was hot unplugged, 'ret >= 0' was passed to the qemuAuditDisk calls in disk hotunplug operations before ret was, in fact, set to 0. As well, the error path jumped to the 'cleanup' label prematurely. As a consequence, hotunplug failures were not audited and hotunplug successes were audited as failures. This was corrected and hot unplugging checks now behave as expected. (BZ#710151) * A conflict existed between filter update locking sequences and virtual machine startup locking sequences. When a filter update occurred on one or more virtual machines, a deadlock could consequently occur if a virtual machine referencing a filter was started. This update changes and makes more flexible several qemu locking sequences ensuring this deadlock no longer occurs. (BZ#697749) * qemudDomainSaveImageStartVM closed some incoming file descriptor (fd) arguments without informing the caller. The consequent double-closes could cause Domain restoration failure. This update alters the qemudDomainSaveImageStartVM signature to prevent the double-closes. (BZ#681623) This update also adds the following enhancements : * The libvirt Xen driver now supports more than one serial port. (BZ#670789) * Enabling and disabling the High Precision Event Timer (HPET) in Xen domains is now possible. (BZ#703193) All libvirt users should install this update which addresses this vulnerability, fixes these bugs and adds these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56264
    published 2011-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56264
    title CentOS 5 : libvirt (CESA-2011:1019)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1019.NASL
    description Updated libvirt packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update fixes the following bugs : * libvirt was rebased from version 0.6.3 to version 0.8.2 in Red Hat Enterprise Linux 5.6. A code audit found a minor API change that effected error messages seen by libvirt 0.8.2 clients talking to libvirt 0.7.1 - 0.7.7 (0.7.x) servers. A libvirt 0.7.x server could send VIR_ERR_BUILD_FIREWALL errors where a libvirt 0.8.2 client expected VIR_ERR_CONFIG_UNSUPPORTED errors. In other circumstances, a libvirt 0.8.2 client saw a 'Timed out during operation' message where it should see an 'Invalid network filter' error. This update adds a backported patch that allows libvirt 0.8.2 clients to interoperate with the API as used by libvirt 0.7.x servers, ensuring correct error messages are sent. (BZ#665075) * libvirt could crash if the maximum number of open file descriptors (_SC_OPEN_MAX) grew larger than the FD_SETSIZE value because it accessed file descriptors outside the bounds of the set. With this update the maximum number of open file descriptors can no longer grow larger than the FD_SETSIZE value. (BZ#665549) * A libvirt race condition was found. An array in the libvirt event handlers was accessed with a lock temporarily released. In rare cases, if one thread attempted to access this array but a second thread reallocated the array before the first thread reacquired a lock, it could lead to the first thread attempting to access freed memory, potentially causing libvirt to crash. With this update libvirt no longer refers to the old array and, consequently, behaves as expected. (BZ#671569) * Guests connected to a passthrough NIC would kernel panic if a system_reset signal was sent through the QEMU monitor. With this update you can reset such guests as expected. (BZ#689880) * When using the Xen kernel, the rpmbuild command failed on the xencapstest test. With this update you can run rpmbuild successfully when using the Xen kernel. (BZ#690459) * When a disk was hot unplugged, 'ret >= 0' was passed to the qemuAuditDisk calls in disk hotunplug operations before ret was, in fact, set to 0. As well, the error path jumped to the 'cleanup' label prematurely. As a consequence, hotunplug failures were not audited and hotunplug successes were audited as failures. This was corrected and hot unplugging checks now behave as expected. (BZ#710151) * A conflict existed between filter update locking sequences and virtual machine startup locking sequences. When a filter update occurred on one or more virtual machines, a deadlock could consequently occur if a virtual machine referencing a filter was started. This update changes and makes more flexible several qemu locking sequences ensuring this deadlock no longer occurs. (BZ#697749) * qemudDomainSaveImageStartVM closed some incoming file descriptor (fd) arguments without informing the caller. The consequent double-closes could cause Domain restoration failure. This update alters the qemudDomainSaveImageStartVM signature to prevent the double-closes. (BZ#681623) This update also adds the following enhancements : * The libvirt Xen driver now supports more than one serial port. (BZ#670789) * Enabling and disabling the High Precision Event Timer (HPET) in Xen domains is now possible. (BZ#703193) All libvirt users should install this update which addresses this vulnerability, fixes these bugs and adds these enhancements. After installing the updated packages, libvirtd must be restarted ('service libvirtd restart') for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 63993
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63993
    title RHEL 5 : libvirt (RHSA-2011:1019)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBVIRT-110706.NASL
    description libvirtd could crash if bogus parameters where passed to the VirDomainGetVcpus call (CVE-2011-2511).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75625
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75625
    title openSUSE Security Update : libvirt (openSUSE-SU-2011:0900-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBVIRT-110712.NASL
    description The following bug was fixed in libvirt : - libvirtd could crash if bogus parameters where passed to the VirDomainGetVcpus call. (CVE-2011-2511)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 55696
    published 2011-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55696
    title SuSE 11.1 Security Update : libvirt (SAT Patch Number 4870)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBVIRT-7613.NASL
    description libvirtd could crash if bogus parameters where passed to the VirDomainGetVcpus call. (CVE-2011-2511)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 55850
    published 2011-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55850
    title SuSE 10 Security Update : libvirt (ZYPP Patch Number 7613)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBVIRT-110706.NASL
    description libvirtd could crash if bogus parameters where passed to the VirDomainGetVcpus call (CVE-2011-2511).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75930
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75930
    title openSUSE Security Update : libvirt (openSUSE-SU-2011:0900-1)
redhat via4
advisories
  • bugzilla
    id 717199
    title CVE-2011-2511 libvirt: integer overflow in VirDomainGetVcpus
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment libvirt is earlier than 0:0.8.2-22.el5
          oval oval:com.redhat.rhsa:tst:20111019002
        • comment libvirt is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090382003
      • AND
        • comment libvirt-devel is earlier than 0:0.8.2-22.el5
          oval oval:com.redhat.rhsa:tst:20111019006
        • comment libvirt-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090382007
      • AND
        • comment libvirt-python is earlier than 0:0.8.2-22.el5
          oval oval:com.redhat.rhsa:tst:20111019004
        • comment libvirt-python is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090382005
    rhsa
    id RHSA-2011:1019
    released 2011-07-21
    severity Moderate
    title RHSA-2011:1019: libvirt security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 728546
    title [libvirt] [logs] null dereference while preparing libvirt logs
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment libvirt is earlier than 0:0.8.7-18.el6_1.1
          oval oval:com.redhat.rhsa:tst:20111197005
        • comment libvirt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581006
      • AND
        • comment libvirt-client is earlier than 0:0.8.7-18.el6_1.1
          oval oval:com.redhat.rhsa:tst:20111197007
        • comment libvirt-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581008
      • AND
        • comment libvirt-devel is earlier than 0:0.8.7-18.el6_1.1
          oval oval:com.redhat.rhsa:tst:20111197009
        • comment libvirt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581010
      • AND
        • comment libvirt-python is earlier than 0:0.8.7-18.el6_1.1
          oval oval:com.redhat.rhsa:tst:20111197011
        • comment libvirt-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20131581012
    rhsa
    id RHSA-2011:1197
    released 2011-08-23
    severity Moderate
    title RHSA-2011:1197: libvirt security and bug fix update (Moderate)
rpms
  • libvirt-0:0.8.2-22.el5
  • libvirt-devel-0:0.8.2-22.el5
  • libvirt-python-0:0.8.2-22.el5
  • libvirt-0:0.8.7-18.el6_1.1
  • libvirt-client-0:0.8.7-18.el6_1.1
  • libvirt-devel-0:0.8.7-18.el6_1.1
  • libvirt-python-0:0.8.7-18.el6_1.1
refmap via4
confirm http://libvirt.org/news.html
debian DSA-2280
fedora
  • FEDORA-2011-9062
  • FEDORA-2011-9091
mlist
  • [libvirt] 20110624 [PATCH 2/2] remote: protect against integer overflow
  • [oss-security] 20110628 CVE request: libvirt: integer overflow in VirDomainGetVcpus
sectrack 1025822
secunia
  • 45375
  • 45441
  • 45446
suse SUSE-SU-2011:0837
ubuntu USN-1180-1
xf libvirt-virdomaingetvcpus-bo(68271)
Last major update 21-11-2011 - 22:57
Published 10-08-2011 - 16:55
Last modified 28-08-2017 - 21:29
Back to Top