CVE-2014-0028

Publication date 24 January 2014

Last updated 24 July 2024

Ubuntu priority

Description

libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libvirt	13.10 saucy	Fixed 1.1.1-0ubuntu8.5
	13.04 raring	Ignored end of life
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

Notes

mdeslaur

introduced in 1.1.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libvirt	Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f9f56340539d609cdc2e9d4ab812b9f146c3f100 Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=1d0e4fbf9572ad34045a4f9d87601297a5244c38

References

Related Ubuntu Security Notices (USN)

USN-2093-1
libvirt vulnerabilities
30 January 2014