DescriptionThe qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs762203

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)jessie (security), jessie1.2.9-9+deb8u5fixed
stretch (security), stretch3.0.0-4+deb9u3fixed
buster, sid4.7.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcesqueeze(not affected)


[squeeze] - libvirt <not-affected> (Vulnerable code introduced in v0.9.8)
Upstream fix:;a=commit;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
Introduced in;a=commitdiff;h=eca96694a7f992be633d48d5ca03cedc9bbc3c9a (v0.9.8)
Upstream advisory:

Search for package or bug name: Reporting problems