Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711306 (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168) - <app-emulation/libvirt-5.4.1: Multiple vulnerabilities (CVE-2019-{10161,10166,10167,10168})
Summary: <app-emulation/libvirt-5.4.1: Multiple vulnerabilities (CVE-2019-{10161,10166...
Status: RESOLVED FIXED
Alias: CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://access.redhat.com/libvirt-pri...
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 11:28 UTC by Sam James
Modified: 2020-03-15 02:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-02 11:28:40 UTC
1) CVE-2019-10161

Description:
"It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs."

Bug: https://access.redhat.com/security/cve/CVE-2019-10161

2) CVE-2019-10166

Description:
"It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed."

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10171

3) CVE-2019-10167

Description:
"The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10167

4) CVE-2019-10168

Description:
"The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges."

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1720118

---
Advisory: https://access.redhat.com/libvirt-privesc-vulnerabilities

Impact for all:
"The potential impact an attack could achieve includes:

    Testing for the existence of files on the host as root. Libvirtd can be given an arbitrary path to read a saved state file, which it will attempt to read (CVE-2019-10161).
    Denial of service. By choosing particular paths in /dev or /proc with CVE-2019-10161, libvirtd could lock or interfere with other processes on the host.
    Privilege escalation to the “qemu” user. Libvirtd can be convinced to execute an attacker-specified binary, which will be invoked under the qemu user id. This could permit an attacker to start, stop, manipulate, or compromise other virtual machines managed by livbirt (all CVEs).
    Privilege escalation to “root” in Red Hat Enterprise Linux 8. In this version of libvirtd, the binary is also executed with CAP_DAC_OVERRIDE, allowing it to read and write root-owned files."


Versions affected:
- <5.4.1
- <4.10.1
Comment 1 Larry the Git Cow gentoo-dev 2020-03-13 16:39:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75352bea6963ac12faff5c565e2b9e19e8b19ef4

commit 75352bea6963ac12faff5c565e2b9e19e8b19ef4
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-03-13 15:39:24 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-03-13 16:29:40 +0000

    app-emulation/libvirt: drop old
    
    Bug: https://bugs.gentoo.org/711306
    Package-Manager: Portage-2.3.93, Repoman-2.3.20
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest                |   4 -
 app-emulation/libvirt/libvirt-5.2.0-r2.ebuild | 384 --------------------------
 app-emulation/libvirt/libvirt-5.5.0-r1.ebuild | 379 -------------------------
 app-emulation/libvirt/libvirt-5.6.0.ebuild    | 379 -------------------------
 app-emulation/libvirt/libvirt-5.8.0.ebuild    | 383 -------------------------
 app-emulation/libvirt/metadata.xml            |   3 -
 6 files changed, 1532 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e8cc25768c10f6bca7167956ef6d7dbcc3ab90c

commit 4e8cc25768c10f6bca7167956ef6d7dbcc3ab90c
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-03-13 15:36:46 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-03-13 16:29:36 +0000

    dev-python/libvirt-python: drop  old
    
    Bug: https://bugs.gentoo.org/711306
    Package-Manager: Portage-2.3.93, Repoman-2.3.20
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 dev-python/libvirt-python/Manifest                 |  4 --
 .../libvirt-python/libvirt-python-5.2.0.ebuild     | 47 ----------------------
 .../libvirt-python/libvirt-python-5.5.0.ebuild     | 47 ----------------------
 .../libvirt-python/libvirt-python-5.6.0.ebuild     | 47 ----------------------
 .../libvirt-python/libvirt-python-5.8.0.ebuild     | 47 ----------------------
 5 files changed, 192 deletions(-)
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-15 02:37:44 UTC
New GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 02:44:28 UTC
This issue was resolved and addressed in
 GLSA 202003-18 at https://security.gentoo.org/glsa/202003-18
by GLSA coordinator Thomas Deutschmann (whissi).