A number of related vulnerabilities in the libvirt management API were recently discovered and fixed by the libvirt maintainers. These vulnerabilities expose unintended functionality to API clients with read-only permissions that could be used by the client to perform operations outside their normal sphere of permissions. An attacker could test for the existence of files on the host as root. Libvirtd can be given an arbitrary path to read a saved state file, which it will attempt to read. This may also be exploited for a denial-of-service attack by choosing particular paths in /dev or /proc.
For Debian 7 Wheezy, these problems have been fixed in version 0.9.12.3-1+deb7u4.
We recommend that you upgrade your libvirt packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.