Source: libvirt Version: 10.6.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libvirt. CVE-2024-8235[0]: | A flaw was found in libvirt. A refactor of the code fetching the | list of interfaces for multiple APIs introduced a corner case on | platforms where allocating 0 bytes of memory results in a NULL | pointer. This corner case would lead to a NULL-pointer dereference | and subsequent crash of virtinterfaced. This issue could allow | clients connecting to the read-only socket to crash the | virtinterfaced daemon. A note on the severity: Technically I think 'important' would have been more appropriate. Still ideally this needs to be fixed for trixie, so raise the level such that it appears on the radar before the trixie freeze. I expect anyway that pkg-libvirt-maintainers are reactive enough on bugfixes, so if you feel strong about it please do downgrade the severity. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8235 https://www.cve.org/CVERecord?id=CVE-2024-8235 [1] https://gitlab.com/libvirt/libvirt/-/commit/8dfb12cb77996519901b8d52c754ab564ebd10e8 Regards, Salvatore
