1) CVE-2019-10161 Description: "It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs." Bug: https://access.redhat.com/security/cve/CVE-2019-10161 2) CVE-2019-10166 Description: "It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed." Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10171 3) CVE-2019-10167 Description: "The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges." Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167 4) CVE-2019-10168 Description: "The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges." Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1720118 --- Advisory: https://access.redhat.com/libvirt-privesc-vulnerabilities Impact for all: "The potential impact an attack could achieve includes: Testing for the existence of files on the host as root. Libvirtd can be given an arbitrary path to read a saved state file, which it will attempt to read (CVE-2019-10161). Denial of service. By choosing particular paths in /dev or /proc with CVE-2019-10161, libvirtd could lock or interfere with other processes on the host. Privilege escalation to the “qemu” user. Libvirtd can be convinced to execute an attacker-specified binary, which will be invoked under the qemu user id. This could permit an attacker to start, stop, manipulate, or compromise other virtual machines managed by livbirt (all CVEs). Privilege escalation to “root” in Red Hat Enterprise Linux 8. In this version of libvirtd, the binary is also executed with CAP_DAC_OVERRIDE, allowing it to read and write root-owned files." Versions affected: - <5.4.1 - <4.10.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75352bea6963ac12faff5c565e2b9e19e8b19ef4 commit 75352bea6963ac12faff5c565e2b9e19e8b19ef4 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2020-03-13 15:39:24 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2020-03-13 16:29:40 +0000 app-emulation/libvirt: drop old Bug: https://bugs.gentoo.org/711306 Package-Manager: Portage-2.3.93, Repoman-2.3.20 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/libvirt/Manifest | 4 - app-emulation/libvirt/libvirt-5.2.0-r2.ebuild | 384 -------------------------- app-emulation/libvirt/libvirt-5.5.0-r1.ebuild | 379 ------------------------- app-emulation/libvirt/libvirt-5.6.0.ebuild | 379 ------------------------- app-emulation/libvirt/libvirt-5.8.0.ebuild | 383 ------------------------- app-emulation/libvirt/metadata.xml | 3 - 6 files changed, 1532 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e8cc25768c10f6bca7167956ef6d7dbcc3ab90c commit 4e8cc25768c10f6bca7167956ef6d7dbcc3ab90c Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2020-03-13 15:36:46 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2020-03-13 16:29:36 +0000 dev-python/libvirt-python: drop old Bug: https://bugs.gentoo.org/711306 Package-Manager: Portage-2.3.93, Repoman-2.3.20 Signed-off-by: Matthias Maier <tamiko@gentoo.org> dev-python/libvirt-python/Manifest | 4 -- .../libvirt-python/libvirt-python-5.2.0.ebuild | 47 ---------------------- .../libvirt-python/libvirt-python-5.5.0.ebuild | 47 ---------------------- .../libvirt-python/libvirt-python-5.6.0.ebuild | 47 ---------------------- .../libvirt-python/libvirt-python-5.8.0.ebuild | 47 ---------------------- 5 files changed, 192 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-18 at https://security.gentoo.org/glsa/202003-18 by GLSA coordinator Thomas Deutschmann (whissi).