PublicDateAtUSN: 2013-11-02
Candidate: CVE-2013-4401
PublicDate: 2013-11-02 18:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4401
 https://ubuntu.com/security/notices/USN-2026-1
Description:
 The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3
 checks for the connect:read permission instead of the connect:write
 permission, which allows attackers to gain domain:write privileges and
 execute Qemu binaries via crafted XML.  NOTE: some of these details are
 obtained from third party information.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 1.1.0
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727101
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4401
 https://bugzilla.redhat.com/show_bug.cgi?id=1012196
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_libvirt:
 upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
upstream_libvirt: needs-triage
lucid_libvirt: not-affected
precise_libvirt: not-affected
quantal_libvirt: not-affected
raring_libvirt: not-affected (1.0.2-0ubuntu11.13.04.4)
saucy_libvirt: released (1.1.1-0ubuntu8.1)
devel_libvirt: released (1.1.4-0ubuntu1)