Gentoo Linux Security Advisory 201412-4 - Multiple vulnerabilities have been found in libvirt, worst of which allows context-dependent attackers to escalate privileges. Versions less than 1.2.9-r2 are affected.
04c111d3cb8f6077f1f1c216f9e56106ab6e31444d537f25d03e8ab04ca85eb1
Debian Linux Security Advisory 2764-1 - Daniel P. Berrange discovered that incorrect memory handling in the remoteDispatchDomainMemoryStats() function could lead to denial of service.
dd359ee6a114c2ea12723e65fab5b15ff7b13a65fc45369003a122ce5e0872ba
Red Hat Security Advisory 2013-1272-01 - The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. libvirt invokes the PolicyKit pkcheck utility to handle authorization. A race condition was found in the way libvirt used this utility, allowing a local user to bypass intended PolicyKit authorizations or execute arbitrary commands with root privileges. Note: With this update, libvirt has been rebuilt to communicate with PolicyKit via a different API that is not vulnerable to the race condition. The polkit RHSA-2013:1270 advisory must also be installed to fix the CVE-2013-4311 issue.
d92904347fa422567abf49e49fb5c4c1e4959e1c56937eff10d983ba67e44e91
Ubuntu Security Notice 1954-1 - It was discovered that libvirt used the pkcheck tool in an unsafe manner. A local attacker could possibly use this flaw to bypass polkit authentication. In Ubuntu, libvirt polkit authentication is not enabled by default. It was discovered that libvirt incorrectly handled certain memory stats requests. A remote attacker could use this issue to cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 12.10, and Ubuntu 13.04. Various other issues were also addressed.
59ff3bfce1b5160cbf39adc5e7dbd353a7a26360a5e79205fa96bcdf56cace17