CVE-2014-8136

NameCVE-2014-8136
DescriptionThe (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs773856

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)stretch (security), stretch3.0.0-4+deb9u4fixed
buster5.0.0-4+deb10u1fixed
bullseye6.0.0-6fixed
sid6.0.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsource(unstable)1.2.9-7773856
libvirtsourcesqueeze(not affected)
libvirtsourcewheezy(not affected)

Notes

[wheezy] - libvirt <not-affected> (Vulnerable code introduced later)
[squeeze] - libvirt <not-affected> (Vulnerable code introduced later)
Upstream commit: http://libvirt.org/git/?p=libvirt.git;a=commit;h=2bdcd29c713dfedd813c89f56ae98f6f3898313d (v1.2.11-rc2)
Introduced in http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=abf75aea247e (v1.1.0-rc1)

Search for package or bug name: Reporting problems