CVE-2014-3657

The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command.

Affected Software

Name	Vendor	Start Version	End Version
Libvirt	Libvirt	*	1.2.8 (including)
Libvirt	Libvirt	1.2.0 (including)	1.2.0 (including)
Libvirt	Libvirt	1.2.1 (including)	1.2.1 (including)
Libvirt	Libvirt	1.2.2 (including)	1.2.2 (including)
Libvirt	Libvirt	1.2.3 (including)	1.2.3 (including)
Libvirt	Libvirt	1.2.4 (including)	1.2.4 (including)
Libvirt	Libvirt	1.2.5 (including)	1.2.5 (including)
Libvirt	Libvirt	1.2.6 (including)	1.2.6 (including)
Libvirt	Libvirt	1.2.7 (including)	1.2.7 (including)
Red Hat Enterprise Linux 6	RedHat	libvirt-0:0.10.2-46.el6_6.2	*
Red Hat Enterprise Linux 7	RedHat	libvirt-0:1.1.1-29.el7_0.3	*
Libvirt	Ubuntu	devel	*
Libvirt	Ubuntu	esm-infra-legacy/trusty	*
Libvirt	Ubuntu	trusty	*
Libvirt	Ubuntu	trusty/esm	*
Libvirt	Ubuntu	utopic	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3657
CWE	https://cwe.mitre.org/data/definitions/399.html

Affected Software

References