PublicDateAtUSN: 2014-09-19
Candidate: CVE-2014-3633
PublicDate: 2014-10-06 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633
 http://security.libvirt.org/2014/0004.html
 https://ubuntu.com/security/notices/USN-2366-1
Description:
 The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt
 before 1.2.9, when a disk has been hot-plugged or removed from the live
 image, allows remote attackers to cause a denial of service (crash) or read
 sensitive heap information via a crafted blkiotune query, which triggers an
 out-of-bounds read.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762203
Priority: medium
Discovered-by: Luyao Huang
Assigned-to: mdeslaur
CVSS: 

Patches_libvirt:
 upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
upstream_libvirt: needed
lucid_libvirt: not-affected
precise_libvirt: released (0.9.8-2ubuntu17.20)
trusty_libvirt: released (1.2.2-0ubuntu13.1.5)
trusty/esm_libvirt: released (1.2.2-0ubuntu13.1.5)
devel_libvirt: released (1.2.8-0ubuntu6)