Bug#1080218: marked as done (libvirt: CVE-2024-8235)

[Debian Bug Tracking System]

Your message dated Sat, 07 Sep 2024 08:37:40 +0000
with message-id <e1smqwu-003at6...@fasolo.debian.org>
and subject line Bug#1080218: fixed in libvirt 10.7.0-1
has caused the Debian Bug report #1080218,
regarding libvirt: CVE-2024-8235
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1080218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080218
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libvirt
Version: 10.6.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for libvirt.

CVE-2024-8235[0]:
| A flaw was found in libvirt. A refactor of the code fetching the
| list of interfaces for multiple APIs introduced a corner case on
| platforms where allocating 0 bytes of memory results in a NULL
| pointer. This corner case would lead to a NULL-pointer dereference
| and subsequent crash of virtinterfaced. This issue could allow
| clients connecting to the read-only socket to crash the
| virtinterfaced daemon.

A note on the severity: Technically I think 'important' would have
been more appropriate. Still ideally this needs to be fixed for
trixie, so raise the level such that it appears on the radar before
the trixie freeze. I expect anyway that pkg-libvirt-maintainers are
reactive enough on bugfixes, so if you feel strong about it please do
downgrade the severity.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-8235
    https://www.cve.org/CVERecord?id=CVE-2024-8235
[1] 
https://gitlab.com/libvirt/libvirt/-/commit/8dfb12cb77996519901b8d52c754ab564ebd10e8

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libvirt
Source-Version: 10.7.0-1
Done: Andrea Bolognani <e...@kiyuko.org>

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1080...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea Bolognani <e...@kiyuko.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Sep 2024 20:59:27 +0200
Source: libvirt
Architecture: source
Version: 10.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Andrea Bolognani <e...@kiyuko.org>
Closes: 1077915 1080218
Changes:
 libvirt (10.7.0-1) unstable; urgency=medium
 .
   * [a84ccbd] New upstream version 10.7.0
     - Update for qemu-bridge-helper's new location (Closes: #1077915)
     - Fixes CVE-2024-8235 (Closes: #1080218)
Checksums-Sha1:
 03380440e0a7325d2c372873f9723fa6c7c4c4ea 7666 libvirt_10.7.0-1.dsc
 1e09616f04f6764ca7606f052906375ac14bd42d 9500056 libvirt_10.7.0.orig.tar.xz
 6515131334abdc3fb37f9e19dc961612cd7f9e55 833 libvirt_10.7.0.orig.tar.xz.asc
 f3e991269addc5a6904f824bfa00aaf3e82ee066 93536 libvirt_10.7.0-1.debian.tar.xz
 103932ec74ed8bb37754707132266107e0f82808 13321 
libvirt_10.7.0-1_source.buildinfo
Checksums-Sha256:
 767ea28726bc021e0abbc585ecaf6567e50c49e9f2c511308e04e402445046bf 7666 
libvirt_10.7.0-1.dsc
 ca757322eed998013b21f474c6c0c15dc08320ba6c8bae54aa16a93a1c3b7054 9500056 
libvirt_10.7.0.orig.tar.xz
 79381b20a9017f72ffb4c2510b037680cc75addb442130bc7176d60c731569a8 833 
libvirt_10.7.0.orig.tar.xz.asc
 ca42d83fac66aaf77b0b7366fc3fb4b549ac4aa142c222876f91c330358587d3 93536 
libvirt_10.7.0-1.debian.tar.xz
 5231b8043b47c4a2b734f530e300a8fbce2e14fa3adcb420e8a96c0473f87025 13321 
libvirt_10.7.0-1_source.buildinfo
Files:
 3ad9248b64d30d6d49d2f7e9ee0d1c7a 7666 libs optional libvirt_10.7.0-1.dsc
 892dfa2ff4d2892f61c3d2b122129c04 9500056 libs optional 
libvirt_10.7.0.orig.tar.xz
 6ff91d518159cf38768de3f79ae0fe8f 833 libs optional 
libvirt_10.7.0.orig.tar.xz.asc
 bd1b6f114a2ddbb3a4ee4f05851d0989 93536 libs optional 
libvirt_10.7.0-1.debian.tar.xz
 ba84c97845cf0a270f80a6dd5b581866 13321 libs optional 
libvirt_10.7.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEO48t9niVypx3EjLf954fxUKFg6wFAmbcC2oPHGVvZkBraXl1
a28ub3JnAAoJEPeeH8VChYOs57UQAKCpd2aL95NdLZ9DmPuSGLA+NqT/pIE3NyoY
8t/ggoZ3WVmzUHSmB/4pUyxEVC0QIB1hjLMXuIctTlA7yO/AgsbE0py6NKz9rwy6
XsyIKqiYtNsub3Rx9Onish0yKIrfA7Jny3apY8mNE9bNtpuP67gXdikSxSi/SDBd
7See5Q8yd1UjKRTLPGeSER3Kds4HOJ39JVtEfrB1gAgt+zQ9GpQP9KYLsDAiGcsG
dl0iFqahTHWbcIW1rPA+iPnzxAv/fiPlnFrKMCWrBY4/BGlaIvC/EV7DdNgNp2US
wom3LUybOWZMwN35NwWQcnjcuAx+jZMUiQxaSeUru0HAQe4a4rUJkjmlbIuItouB
76ehFZ7VxVUl1cYgtg7B2gSsts0wCYCsWYy3J1xGiueZXFruXjO03T28jBi/TRTY
n/iIA1+X5xpjLrSXoi0uW4AskJ+JZDg+68giGvmrRqiK/MZdZpC5M08mMnTwRtox
qAbVCD2yjw2F0Vk82BACOxI5RZRcuIATVebAqZqdd7+oXYz/dHLBbqYpki8dpq8B
4hA+32sK4bVB7uKqAsKd/dWfEBQClrruGNIoss5FKbOVj182ybk0w9XAO421BwgY
XiZFIU/eOUL/4DAVdlUXpgjO5yTqUXU5qjq61uvbvZkWQAPq/rlwR+XHGgiKDgxy
aXGE4SF4
=VBv/
-----END PGP SIGNATURE-----

pgpBdp1eCR6_Y.pgp
Description: PGP signature

--- End Message ---