CVE-2014-3633

Name of the Vulnerable Software and Affected Versions libvirt versions prior to 1.2.9 libvirt-client version 0.10.2 libvirt-devel version 0.10.2 libvirt-debuginfo version 0.10.2 libvirt-python version 0.10.2

Description The issue affects the confidentiality, integrity, and availability of protected information. It is related to the qemuDomainGetBlockIoTune function in qemu/qemu driver.c, which allows remote attackers to cause a denial of service or read sensitive heap information via a crafted blkiotune query. This query can trigger an out-of-bounds read when a disk has been hot-plugged or removed from the live image.

Recommendations For libvirt versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. For libvirt-client version 0.10.2, consider disabling the qemuDomainGetBlockIoTune function as a temporary workaround until a patch is available. For libvirt-devel version 0.10.2, restrict access to the qemu/qemu driver.c module to minimize the risk of exploitation. For libvirt-debuginfo version 0.10.2, avoid using the blkiotune query in the affected API endpoint until the issue is resolved. For libvirt-python version 0.10.2, consider disabling the qemuDomainGetBlockIoTune function as a temporary workaround until a patch is available.