[Pkg-libvirt-maintainers] Bug#926418: Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 5 20:54:30 BST 2019
Hi Guido,
On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote:
> Hi,
> On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote:
> > Source: libvirt
> > Version: 5.0.0-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
> >
> > Hi,
> >
> > The following vulnerability was published for libvirt.
> >
> > CVE-2019-3886[0]:
> > | An incorrect permissions check was discovered in libvirt 4.8.0 and
> > | above. The readonly permission was allowed to invoke APIs depending on
> > | the guest agent, which could lead to potentially disclosing unintended
> > | information or denial of service by causing libvirt to block.
> >
> > I'm filling it here as well for ruther investigation. Is this only
> > affecting versions >= 4.8.0?
>
> I'd assume this to affect older version as well (looking at the
> fix). I'll prepare an upload once upstream has this in git.
Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but
the submitted fix would in theory apply.
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list