Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 649
    • Issues 649
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 198
    • Merge Requests 198
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10616

Closed
Open
Opened Jun 25, 2019 by Alicha CH@alichaReporter
  • Report abuse
  • New issue
Report abuse New issue

[3.11] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)

CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API

It was discovered that libvirtd would permit readonly clients to use the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe the
existence of arbitrary files, cause denial of service or cause libvirtd
to execute arbitrary programs.

This vulnerability was first present in libvirt v0.9.4.

Fixed In Version:

libvirt 4.10.1, libvirt 5.4.1

References:

https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161

Patch:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580

CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients

It was discovered that libvirtd would permit readonly clients to use the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.

This vulnerability was first present in libvirt v3.6.1.

Fixed In Version:

libvirt 4.10.1, libvirt 5.4.1

References:

https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166

Patch:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a

CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API

The virConnectGetDomainCapabilities() libvirt API accepts an “emulatorbin”
argument to specify the program providing emulation for a domain. Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for this
argument, causing libvirtd to execute a crafted executable with its own

Fixed In Version:

libvirt 4.10.1, libvirt 5.4.1

References:

https://security-tracker.debian.org/tracker/CVE-2019-10167

Patch:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26

CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs

The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program providing
emulation for a domain. Since v1.2.19, libvirt will execute that program to
probe the domain’s capabilities. Read-only clients could specify an arbitrary
path for this argument, causing libvirtd to execute a crafted executable with
its own privileges.

Fixed In Version:

libvirt 4.10.1, libvirt 5.4.1

References:

https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168

Patch:

https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291

(from redmine: issue id 10616, created on 2019-06-25, closed on 2019-07-04)

  • Relations:
    • parent #10615 (closed)
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.11.0
Milestone
3.11.0 (Past due)
Assign milestone
Time tracking
None
Due date
None
3
Labels
Normal tag:security type:bug
Assign labels
  • View project labels
Reference: alpine/aports#10616