From: Han Han <hhan@redhat.com>
Date: Fri, 25 Oct 2024 04:57:26 +0000 (+0800)
Subject: NEWS: Add the news for CVE-2024-4418
X-Git-Tag: v10.10.0-rc1~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d9bf5b63c5f154860d5ed51c61d9a9a260f0bd9;p=thirdparty%2Flibvirt.git

NEWS: Add the news for CVE-2024-4418

Signed-off-by: Han Han <hhan@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/NEWS.rst b/NEWS.rst
index f85244bbfb..dbc6109ef0 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -338,6 +338,18 @@ v10.5.0 (2024-07-01)
 v10.4.0 (2024-06-03)
 ====================
 
+* **Security**
+
+  * ``CVE-2024-4418``: Fix stack use-after-free in virNetClientIOEventLoop()
+
+    Fix race condition leading to a stack use-after-free bug was found in libvirt.
+    Due to a bad assumption in the virNetClientIOEventLoop() method, the data
+    pointer to a stack-allocated virNetClientIOEventData structure ended up being
+    used in the virNetClientIOEventFD callback while the data pointer's stack frame
+    was concurrently being "freed" when returning from virNetClientIOEventLoop().
+    This flaw allows a local, unprivileged user to access virtproxyd without
+    authenticating.
+
 * **New features**
 
   * qemu: Support for ras feature for virt machine type