Bug#926418: [Pkg-libvirt-maintainers] Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Hi Guido, On Mon, Apr 08, 2019 at 11:26:58AM +0200, Guido Günther wrote: > Hi, > On Sun, Apr 07, 2019 at 03:33:53PM +0200, Salvatore Bonaccorso wrote: > > Hi Guido, > > > > On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote: > > > Hi Guido, > > > > > > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > > > > Hi, > > > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > > > > Source: libvirt > > > > > Version: 5.0.0-1 > > > > > Severity: important > > > > > Tags: security upstream > > > > > Forwarded: > > > > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > > > > > > > Hi, > > > > > > > > > > The following vulnerability was published for libvirt. > > > > > > > > > > CVE-2019-3886[0]: > > > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > > > > | above. The readonly permission was allowed to invoke APIs depending > > > > > on > > > > > | the guest agent, which could lead to potentially disclosing > > > > > unintended > > > > > | information or denial of service by causing libvirt to block. > > > > > > > > > > I'm filling it here as well for ruther investigation. Is this only > > > > > affecting versions >= 4.8.0? > > > > > > > > I'd assume this to affect older version as well (looking at the > > > > fix). I'll prepare an upload once upstream has this in git. > > > > > > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but > > > the submitted fix would in theory apply. > > > > And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms > > somehow that >= 4.8.0 only looks strange. So let's assume it's > > affecting as well the older version were the commit applies. > > The problematic part is that virDomainGetHostname calls out to > > qemuAgentGetHostname() which uses the untrusted agent: > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e > > So this really only affects libvirt > 4.8.0. The other existing > implementation is in the OpenVZ driver which a) is not used often and b) > looks safe. So I think the information in the BTS is correct. Thanks for verifying! Regards, Salvatore
Bug#926418: [Pkg-libvirt-maintainers] Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Hi, On Sun, Apr 07, 2019 at 03:33:53PM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote: > > Hi Guido, > > > > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > > > Hi, > > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > > > Source: libvirt > > > > Version: 5.0.0-1 > > > > Severity: important > > > > Tags: security upstream > > > > Forwarded: > > > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > > > > > Hi, > > > > > > > > The following vulnerability was published for libvirt. > > > > > > > > CVE-2019-3886[0]: > > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > > > | above. The readonly permission was allowed to invoke APIs depending on > > > > | the guest agent, which could lead to potentially disclosing unintended > > > > | information or denial of service by causing libvirt to block. > > > > > > > > I'm filling it here as well for ruther investigation. Is this only > > > > affecting versions >= 4.8.0? > > > > > > I'd assume this to affect older version as well (looking at the > > > fix). I'll prepare an upload once upstream has this in git. > > > > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but > > the submitted fix would in theory apply. > > And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms > somehow that >= 4.8.0 only looks strange. So let's assume it's > affecting as well the older version were the commit applies. The problematic part is that virDomainGetHostname calls out to qemuAgentGetHostname() which uses the untrusted agent: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e So this really only affects libvirt > 4.8.0. The other existing implementation is in the OpenVZ driver which a) is not used often and b) looks safe. So I think the information in the BTS is correct. Cheers, -- Guido
Bug#926418: [Pkg-libvirt-maintainers] Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Hi Guido, On Fri, Apr 05, 2019 at 09:54:30PM +0200, Salvatore Bonaccorso wrote: > Hi Guido, > > On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > > Hi, > > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > > Source: libvirt > > > Version: 5.0.0-1 > > > Severity: important > > > Tags: security upstream > > > Forwarded: > > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > > > Hi, > > > > > > The following vulnerability was published for libvirt. > > > > > > CVE-2019-3886[0]: > > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > > | above. The readonly permission was allowed to invoke APIs depending on > > > | the guest agent, which could lead to potentially disclosing unintended > > > | information or denial of service by causing libvirt to block. > > > > > > I'm filling it here as well for ruther investigation. Is this only > > > affecting versions >= 4.8.0? > > > > I'd assume this to affect older version as well (looking at the > > fix). I'll prepare an upload once upstream has this in git. > > Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but > the submitted fix would in theory apply. And https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3 confirms somehow that >= 4.8.0 only looks strange. So let's assume it's affecting as well the older version were the commit applies. Regards, Salvatore
Bug#926418: [Pkg-libvirt-maintainers] Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Hi Guido, On Fri, Apr 05, 2019 at 07:10:25PM +0200, Guido Günther wrote: > Hi, > On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > > Source: libvirt > > Version: 5.0.0-1 > > Severity: important > > Tags: security upstream > > Forwarded: > > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > > > Hi, > > > > The following vulnerability was published for libvirt. > > > > CVE-2019-3886[0]: > > | An incorrect permissions check was discovered in libvirt 4.8.0 and > > | above. The readonly permission was allowed to invoke APIs depending on > > | the guest agent, which could lead to potentially disclosing unintended > > | information or denial of service by causing libvirt to block. > > > > I'm filling it here as well for ruther investigation. Is this only > > affecting versions >= 4.8.0? > > I'd assume this to affect older version as well (looking at the > fix). I'll prepare an upload once upstream has this in git. Thanks. Yes I'm confused that it's claimed to be 4.8.0 onwards, but the submitted fix would in theory apply. Regards, Salvatore
Bug#926418: [Pkg-libvirt-maintainers] Bug#926418: libvirt: CVE-2019-3886: virsh domhostname command discloses guest hostname in readonly mode
Hi, On Thu, Apr 04, 2019 at 10:30:14PM +0200, Salvatore Bonaccorso wrote: > Source: libvirt > Version: 5.0.0-1 > Severity: important > Tags: security upstream > Forwarded: > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html > > Hi, > > The following vulnerability was published for libvirt. > > CVE-2019-3886[0]: > | An incorrect permissions check was discovered in libvirt 4.8.0 and > | above. The readonly permission was allowed to invoke APIs depending on > | the guest agent, which could lead to potentially disclosing unintended > | information or denial of service by causing libvirt to block. > > I'm filling it here as well for ruther investigation. Is this only > affecting versions >= 4.8.0? I'd assume this to affect older version as well (looking at the fix). I'll prepare an upload once upstream has this in git. -- Guido
