libguestfs <= 1.23.1 Denial of service due to a double-free

2013-05-29 / 2013-05-30
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

LibguestFS upstream has issued the following patch: [1] https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd to correct a double-free flaw in the virt-inspector / other virt-* tools, which could lead to denial of service if some of the tools were used by 3rd party applications for inspection of untrusted guest files / images: [2] https://www.redhat.com/archives/libguestfs/2013-May/msg00079.html [3] https://www.redhat.com/archives/libguestfs/2013-May/msg00080.html inspect: Use CLEANUP_* macros in inspection code. can cause a double-free along an error path when certain guest files are empty where we expected those files to contain at least one line. This causes virt-inspector to crash when run on these guests. The following is a test case which demonstrates the crash. `f20rawhidex64' is a Fedora guest, but with small adjustments to the test you could use any Linux guest for this test. $ qemu-img create -f qcow2 -b f20rawhidex64 /tmp/test.qcow2 Formatting '/tmp/test.qcow2', fmt=qcow2 size=21474836480 backing_file='f20rawhidex64' encryption=off cluster_size=65536 lazy_refcounts=off $ guestfish -i -a /tmp/test.qcow2 -- rm /etc/redhat-release : touch /etc/redhat-release $ virt-inspector /tmp/test.qcow2 *** glibc detected *** virt-inspector: double free or corruption (fasttop): 0x00007f18bc9925a0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x34ecc7ca8e)[0x7f18b8e64a8e] /lib64/libguestfs.so.0(+0x3f91898078)[0x7f18ba13c078] /lib64/libguestfs.so.0(+0x3f91899761)[0x7f18ba13d761] /lib64/libguestfs.so.0(+0x3f91896d12)[0x7f18ba13ad12] /lib64/libguestfs.so.0(+0x3f91894140)[0x7f18ba138140] /lib64/libguestfs.so.0(guestfs_inspect_os+0x35)[0x7f18ba0bcc35] virt-inspector(main+0x547)[0x7f18ba7c57d7] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f18b8e09a05] virt-inspector(+0x6665)[0x7f18ba7c7665] This is a denial of service, but not likely to be exploitable.

References:

https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe32916903ef7fee3ffcd
https://www.redhat.com/archives/libguestfs/2013-May/msg00079.html
https://www.redhat.com/archives/libguestfs/2013-May/msg00080.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top