Candidate: CVE-2012-2693 PublicDate: 2012-06-17 03:41:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2693 https://www.redhat.com/archives/libvir-list/2012-April/msg01494.html http://www.openwall.com/lists/oss-security/2012/06/11/3 http://www.openwall.com/lists/oss-security/2012/06/11/2 Description: libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices. Ubuntu-Description: Notes: jdstrand> need 3rd patch to fix a regression mdeslaur> need 4th patch to fix another regression mdeslaur> possibly 5th patch for another regression mdeslaur> we aren't going to backport this, as it is intrusive. mdeslaur> marking as ignored. Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677496 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2693 https://bugzilla.redhat.com/show_bug.cgi?id=815755 Priority: low Discovered-by: Assigned-to: CVSS: Patches_libvirt: upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=9914477efc9764f691ca50faca6592a2d4fecec8 (pt1) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=05abd1507d66aabb6cad12eeafeb4c4d1911c585 (pt2) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ab5fb8f34c93661bb19b62e4ed3592fb53cd6b36 (pt3) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=2f5fdc886ec7ed8b871ebd0576271f8ee5be1f71 (pt4) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=9c484e3dc5464dfbb538744360b401a0bc59c1c6 (?) upstream_libvirt: released (0.9.12-1) hardy_libvirt: ignored (reached end-of-life) lucid_libvirt: ignored natty_libvirt: ignored (reached end-of-life) oneiric_libvirt: ignored (reached end-of-life) precise_libvirt: ignored quantal_libvirt: not-affected (0.9.12-0ubuntu3) raring_libvirt: not-affected (0.9.12-0ubuntu3) saucy_libvirt: not-affected (0.9.12-0ubuntu3) devel_libvirt: not-affected (0.9.12-0ubuntu3)