On 4/3/19 8:00 AM, Daniel P. Berrangé wrote:
Getting the guest time and hostname both require use of guest agent
commands. These must not be allowed for read-only users, so the
permissions check must validate "write" permission not "read".
Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <[email protected]>
---
src/remote/remote_protocol.x | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 74be4b37d0..11f44ee267 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5513,7 +5513,7 @@ enum remote_procedure {
/**
* @generate: both
- * @acl: domain:read
+ * @acl: domain:write
*/
REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
@@ -5908,7 +5908,7 @@ enum remote_procedure {
/**
* @generate: none
- * @acl: domain:read
+ * @acl: domain:write
*/
REMOTE_PROC_DOMAIN_GET_TIME = 337,
Reviewed-by: Jim Fehlig <[email protected]>
Regards,
Jim
--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
