PublicDateAtUSN: 2019-02-27
Candidate: CVE-2019-3840
PublicDate: 2019-03-27 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3840
 https://www.redhat.com/archives/libvir-list/2019-January/msg00241.html
 https://ubuntu.com/security/notices/USN-3909-1
Description:
 A NULL pointer dereference flaw was discovered in libvirt before version
 5.0.0 in the way it gets interface information through the QEMU agent. An
 attacker in a guest VM can use this flaw to crash libvirtd and cause a
 denial of service.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 1.2.14
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=1663051
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H [6.3 MEDIUM]


Patches_libvirt:
 upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73
upstream_libvirt: released (5.0.0-1)
precise/esm_libvirt: not-affected (code not present)
trusty_libvirt: not-affected (code not present)
trusty/esm_libvirt: not-affected (code not present)
xenial_libvirt: released (1.3.1-1ubuntu10.25)
esm-infra/xenial_libvirt: released (1.3.1-1ubuntu10.25)
bionic_libvirt: released (4.0.0-1ubuntu8.8)
cosmic_libvirt: released (4.6.0-2ubuntu3.4)
devel_libvirt: not-affected (5.0.0-1ubuntu1)