[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] oss-security - CVE-2014-3672 libvirt: DoS via excessive
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] oss-security - CVE-2014-3672 libvirt: DoS via excessive logging |
Date: |
Thu, 21 Jul 2016 09:55:35 +0100 |
User-agent: |
Mutt/1.6.1 (2016-04-27) |
On Thu, Jul 21, 2016 at 02:24:43AM +0000, Xulei (Stone) wrote:
> Hi,
>
> A CVE(CVE-2014-3672) vulnerability was reported in Xen.
> I want to know how to reproduce this CVE and whether the qemu-kvm was
> affected ?
>
> Hyperlink: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3672
> Hyperlink: http://www.openwall.com/lists/oss-security/2016/05/24/5
Yes, QEMU is affected, but we did not fix it at the QEMU layer. Instead
libvirt has introduced a virtlogd daemon to handle all writing of data
to files. So QEMU now merely writes a pipe FD, and virtlogd takes care
of file rotation.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|