CVE-2013-4401

Priority
Medium
Description
The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3
checks for the connect:read permission instead of the connect:write
permission, which allows attackers to gain domain:write privileges and
execute Qemu binaries via crafted XML. NOTE: some of these details are
obtained from third party information.
References
Bugs
Notes
mdeslaur> introduced in 1.1.0
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 12.10 (Quantal Quetzal):not-affected
Ubuntu 13.04 (Raring Ringtail):not-affected (1.0.2-0ubuntu11.13.04.4)
Ubuntu 13.10 (Saucy Salamander):released (1.1.1-0ubuntu8.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.1.4-0ubuntu1)
Patches:
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
More Information

Valid XHTML 1.0 Strict

Updated: 2013-12-11 18:14:50 UTC (commit 7535)