CVE-2012-2693

Priority
Low
Description
libvirt, possibly before 0.9.12, does not properly assign USB devices to
virtual machines when multiple devices have the same vendor and product ID,
which might cause the wrong device to be associated with a guest and might
allow local users to access unintended USB devices.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2693
https://www.redhat.com/archives/libvir-list/2012-April/msg01494.html
http://www.openwall.com/lists/oss-security/2012/06/11/3
http://www.openwall.com/lists/oss-security/2012/06/11/2
Bugs
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677496
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693
https://bugzilla.redhat.com/show_bug.cgi?id=815755
Notes
jdstrand> need 3rd patch to fix a regression
mdeslaur> need 4th patch to fix another regression
mdeslaur> possibly 5th patch for another regression
Package
Source: libvirt (LP Ubuntu Debian)
Upstream:released (0.9.12-1)
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):needed
Ubuntu 11.10 (Oneiric Ocelot):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 12.10 (Quantal Quetzal):not-affected (0.9.12-0ubuntu3)
Ubuntu 13.04 (Raring Ringtail):not-affected (0.9.12-0ubuntu3)
Ubuntu 13.10 (Saucy Salamander):not-affected (0.9.12-0ubuntu3)
Patches:
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=9914477efc9764f691ca50faca6592a2d4fecec8 (pt1)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=05abd1507d66aabb6cad12eeafeb4c4d1911c585 (pt2)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=ab5fb8f34c93661bb19b62e4ed3592fb53cd6b36 (pt3)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=2f5fdc886ec7ed8b871ebd0576271f8ee5be1f71 (pt4)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=9c484e3dc5464dfbb538744360b401a0bc59c1c6 (?)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-09 15:16:32 UTC (commit 6824)