[Pkg-libvirt-maintainers] Bug#926418: Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 7 14:33:53 BST 2019
Hi Guido,
On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
>
> On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote:
> > Hi,
> > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote:
> > > Source: libvirt
> > > Version: 5.0.0-1
> > > Severity: important
> > > Tags: security upstream
> > > Forwarded: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for libvirt.
> > >
> > > CVE-2019-3886[0]:
> > > | An incorrect permissions check was discovered in libvirt 4.8.0 and
> > > | above. The readonly permission was allowed to invoke APIs depending on
> > > | the guest agent, which could lead to potentially disclosing unintended
> > > | information or denial of service by causing libvirt to block.
> > >
> > > I'm filling it here as well for ruther investigation. Is this only
> > > affecting versions >= 4.8.0?
> >
> > I'd assume this to affect older version as well (looking at the
> > fix). I'll prepare an upload once upstream has this in git.
>
> Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but
> the submitted fix would in theory apply.
And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms
somehow that >= 4.8.0 only looks strange. So let's assume it's
affecting as well the older version were the commit applies.
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list