[Libguestfs] ATTN: Denial of service attack possible on libguestfs 1.21.x, libguestfs.1.22.0

There's a denial of service attack possible from guests on any program that does inspection (eg. virt-inspector, many other virt-* tools, virt-v2v, OpenStack). The attack causes the host process to crash because of a double free. It's probably not exploitable (definitely not on Fedora because of the default memory hardening settings). This patch contains the fix and a reproducer: https://github.com/libguestfs/libguestfs/commit/fa6a76050d82894365dfe3291... This affects libguestfs >= 1.21.6 and libguestfs 1.22.0 and 1.23.0. I will include the fix in libguestfs >= 1.22.1 and >= 1.23.1. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v