CVE-2014-3657

Name of the Vulnerable Software and Affected Versions libvirt versions prior to 1.2.9 libvirt-client version 0.10.2 libvirt-devel version 0.10.2 libvirt-debuginfo version 0.10.2 libvirt-python version 0.10.2

Description The issue affects the confidentiality, integrity, and availability of protected information. It is related to the virDomainListPopulate function in conf/domain conf.c, which does not clean up the lock on the list of domains. This allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command.

Recommendations For libvirt versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. For libvirt-client version 0.10.2, consider disabling the virConnectListAllDomains API command until a patch is available. For libvirt-devel version 0.10.2, restrict access to the conf/domain conf.c module to minimize the risk of exploitation. For libvirt-debuginfo version 0.10.2, avoid using the virDomainListPopulate function until the issue is resolved. For libvirt-python version 0.10.2, consider disabling the virConnectListAllDomains API command until a patch is available.