[Pkg-libvirt-maintainers] Bug#926418: Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode

Salvatore Bonaccorso carnil at debian.org
Mon Apr 8 11:21:31 BST 2019 

Hi Guido,

On Mon, Apr 08, 2019 at 11:26:58AM +0200, Guido Günther wrote:
> Hi,
> On Sun, Apr 07, 2019 at 03:33:53PM +0200, Salvatore Bonaccorso wrote:
> > Hi Guido,
> > 
> > On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote:
> > > Hi Guido,
> > > 
> > > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote:
> > > > Hi,
> > > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote:
> > > > > Source: libvirt
> > > > > Version: 5.0.0-1
> > > > > Severity: important
> > > > > Tags: security upstream
> > > > > Forwarded: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > The following vulnerability was published for libvirt.
> > > > > 
> > > > > CVE-2019-3886[0]:
> > > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and
> > > > > | above. The readonly permission was allowed to invoke APIs depending on
> > > > > | the guest agent, which could lead to potentially disclosing unintended
> > > > > | information or denial of service by causing libvirt to block.
> > > > > 
> > > > > I'm filling it here as well for ruther investigation. Is this only
> > > > > affecting versions >= 4.8.0?
> > > > 
> > > > I'd assume this to affect older version as well (looking at the
> > > > fix). I'll prepare an upload once upstream has this in git.
> > > 
> > > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but
> > > the submitted fix would in theory apply.
> > 
> > And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms
> > somehow that >= 4.8.0 only looks strange. So let's assume it's
> > affecting as well the older version were the commit applies.
> 
> The problematic part is that virDomainGetHostname calls out to
> 
> qemuAgentGetHostname() which uses the untrusted agent:
> 
>    https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e
> 
> So this really only affects libvirt > 4.8.0. The other existing
> implementation is in the OpenVZ driver which a) is not used often and b)
> looks safe. So I think the information in the BTS is correct.

Thanks for verifying!

Regards,
Salvatore

More information about the Pkg-libvirt-maintainers mailing list