CVE-2013-4154

NameCVE-2013-4154
DescriptionThe qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs717355

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)stretch3.0.0-4+deb9u4fixed
stretch (security)3.0.0-4+deb9u5fixed
buster5.0.0-4+deb10u1fixed
bullseye7.0.0-3fixed
bookworm, sid8.4.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcesqueeze(not affected)
libvirtsourcewheezy(not affected)
libvirtsource(unstable)1.1.0-4low717355

Notes

[squeeze] - libvirt <not-affected> (only affects >= 1.1.0)
[wheezy] - libvirt <not-affected> (only affects >= 1.1.0)
Introduced by http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=d47eff88fe50e43a36671f6d8d0eeda52835d5e0 (v1.1.0)
http://openwall.com/lists/oss-security/2013/07/19/12

Search for package or bug name: Reporting problems