Your submission was sent successfully! Close

CVE-2013-4377

Published: 11 October 2013

Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.

Priority

Medium

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

quantal Does not exist

raring Ignored
(reached end-of-life)
saucy
Released (1.5.0+dfsg-3ubuntu5.3)
upstream Needed

qemu-kvm
Launchpad, Ubuntu, Debian
lucid Not vulnerable

precise Not vulnerable

quantal Not vulnerable

raring Does not exist

saucy Does not exist

upstream Not vulnerable

Notes

AuthorNote
seth-arnold
Vulnerability introduced in 1.4.0
mdeslaur
as of 2013-12-09, not yet in upstream repo
v3 of patch proposed 2013-10-15:
http://article.gmane.org/gmane.comp.emulators.qemu/238070
v4 of patch proposed 2013-11-29:
http://article.gmane.org/gmane.comp.emulators.qemu/244052

References

Bugs