[Qemu-devel] oss-security - CVE-2014-3672 libvirt: DoS via excessive logging

[Qemu-devel] oss-security - CVE-2014-3672 libvirt: DoS via excessive logging

[Xulei (Stone)]

Hi,

A CVE（CVE-2014-3672） vulnerability was reported in Xen. 
I want to know how to reproduce this CVE and whether the qemu-kvm was affected ?

Hyperlink: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3672
Hyperlink: http://www.openwall.com/lists/oss-security/2016/05/24/5

Thank you.

--------------
Xulei (Stone)

Re: [Qemu-devel] oss-security - CVE-2014-3672 libvirt: DoS via excessive logging

[Daniel P. Berrange]

On Thu, Jul 21, 2016 at 02:24:43AM +0000, Xulei (Stone) wrote:
> Hi,
> 
> A CVE（CVE-2014-3672） vulnerability was reported in Xen. 
> I want to know how to reproduce this CVE and whether the qemu-kvm was affected ?
> 
> Hyperlink: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3672
> Hyperlink: http://www.openwall.com/lists/oss-security/2016/05/24/5

Yes, QEMU is affected, but we did not fix it at the QEMU layer. Instead
libvirt has introduced a virtlogd daemon to handle all writing of data
to files. So QEMU now merely writes a pipe FD, and virtlogd takes care
of file rotation.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|