[Pkg-libvirt-maintainers] Bug#926418: Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode

Guido Günther agx at sigxcpu.org
Mon Apr 8 10:26:58 BST 2019 

Hi,
On Sun, Apr 07, 2019 at 03:33:53PM +0200, Salvatore Bonaccorso wrote:
> Hi Guido,
> 
> On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> > 
> > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote:
> > > Hi,
> > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote:
> > > > Source: libvirt
> > > > Version: 5.0.0-1
> > > > Severity: important
> > > > Tags: security upstream
> > > > Forwarded: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
> > > > 
> > > > Hi,
> > > > 
> > > > The following vulnerability was published for libvirt.
> > > > 
> > > > CVE-2019-3886[0]:
> > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and
> > > > | above. The readonly permission was allowed to invoke APIs depending on
> > > > | the guest agent, which could lead to potentially disclosing unintended
> > > > | information or denial of service by causing libvirt to block.
> > > > 
> > > > I'm filling it here as well for ruther investigation. Is this only
> > > > affecting versions >= 4.8.0?
> > > 
> > > I'd assume this to affect older version as well (looking at the
> > > fix). I'll prepare an upload once upstream has this in git.
> > 
> > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but
> > the submitted fix would in theory apply.
> 
> And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms
> somehow that >= 4.8.0 only looks strange. So let's assume it's
> affecting as well the older version were the commit applies.

The problematic part is that virDomainGetHostname calls out to

qemuAgentGetHostname() which uses the untrusted agent:

   https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e

So this really only affects libvirt > 4.8.0. The other existing
implementation is in the OpenVZ driver which a) is not used often and b)
looks safe. So I think the information in the BTS is correct.

Cheers,
 -- Guido

More information about the Pkg-libvirt-maintainers mailing list