Hi Guido, On Mon, Apr 08, 2019 at 11:26:58AM +0200, Guido Günther wrote: > Hi, > On Sun, Apr 07, 2019 at 03:33:53PM +0200, Salvatore Bonaccorso wrote: > > Hi Guido, > > > > On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote: > > > Hi Guido, > > > > > > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > > > > Hi, > > > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > > > > Source: libvirt > > > > > Version: 5.0.0-1 > > > > > Severity: important > > > > > Tags: security upstream > > > > > Forwarded: > > > > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > > > > > > > Hi, > > > > > > > > > > The following vulnerability was published for libvirt. > > > > > > > > > > CVE-2019-3886[0]: > > > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > > > > | above. The readonly permission was allowed to invoke APIs depending > > > > > on > > > > > | the guest agent, which could lead to potentially disclosing > > > > > unintended > > > > > | information or denial of service by causing libvirt to block. > > > > > > > > > > I'm filling it here as well for ruther investigation. Is this only > > > > > affecting versions >= 4.8.0? > > > > > > > > I'd assume this to affect older version as well (looking at the > > > > fix). I'll prepare an upload once upstream has this in git. > > > > > > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but > > > the submitted fix would in theory apply. > > > > And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms > > somehow that >= 4.8.0 only looks strange. So let's assume it's > > affecting as well the older version were the commit applies. > > The problematic part is that virDomainGetHostname calls out to > > qemuAgentGetHostname() which uses the untrusted agent: > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e > > So this really only affects libvirt > 4.8.0. The other existing > implementation is in the OpenVZ driver which a) is not used often and b) > looks safe. So I think the information in the BTS is correct.
Thanks for verifying! Regards, Salvatore
