Bugzilla – Bug 1138301
VUL-0: CVE-2019-10161: libvirt: api: disallow virDomainSaveImageGetXMLDesc on read-only connections
Last modified: 2019-09-11 22:11:21 UTC
via libvirt security list, reported by Matthias. The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com>
Created attachment 807633 [details] CVE-2019-10161.patch CVE-2019-10161.patch
This bug affects all products under general support and LTSS. It falls into the same category as bug#1131595, which was fixed for SLE11 SP3/4, SLE12 SP2/3/4, SLE15 GA/SP1, and TW. I'll do the same for this bug and also include SLE12 SP5. BTW, when do you prefer the SR to :Update. As soon as I have them ready? When the embargo is lifted? Something in between?
Not sure how long the embargo runs, I seems to have missed that... You can already submit to IBS I would say, we handle the embargoe flexible.
(In reply to James Fehlig from comment #2) > This bug affects all products under general support and LTSS. SLE12 SP2/3/4, SLE15 GA/SP1, and TW Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you please have a look on these codestreams as well?
(In reply to Alexandros Toptsoglou from comment #6) > Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you > please have a look on these codestreams as well? The virDomainSaveImageGetXMLDesc API was introduced in libvirt 0.9.4, so those code streams are not affected.
(In reply to James Fehlig from comment #8) > (In reply to Alexandros Toptsoglou from comment #6) > > Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you > > please have a look on these codestreams as well? > > The virDomainSaveImageGetXMLDesc API was introduced in libvirt 0.9.4, so > those code streams are not affected. Hi James, I apologize that I come back to you but checking a little bit further I realized that since this is an LTSS worthy bug SLE12:GA and SLE12-SP1 should also receive an update.
(In reply to Alexandros Toptsoglou from comment #9) > I apologize that I come back to you but checking a little bit further I > realized that since this is an LTSS worthy bug SLE12:GA and SLE12-SP1 should > also receive an update. OK, I submitted to these as well.
This is an autogenerated message for OBS integration: This bug (1138301) was mentioned in https://build.opensuse.org/request/show/711170 Factory / libvirt
SUSE-SU-2019:14097-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1131595,1138301 CVE References: CVE-2019-10161,CVE-2019-3886 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): libvirt-1.2.5-23.20.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libvirt-1.2.5-23.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1599-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138302,1138303 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libvirt-4.0.0-8.15.2 SUSE Linux Enterprise Server 12-SP4 (src): libvirt-4.0.0-8.15.2 SUSE Linux Enterprise Desktop 12-SP4 (src): libvirt-4.0.0-8.15.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1637-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1136109,1138301,1138302,1138303 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): libvirt-4.0.0-9.27.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): libvirt-4.0.0-9.27.1 SUSE Linux Enterprise Module for Basesystem 15 (src): libvirt-4.0.0-9.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14100-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1138301 CVE References: CVE-2019-10161 Sources used: SUSE Linux Enterprise Point of Sale 11-SP3 (src): libvirt-1.0.5.9-21.20.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libvirt-1.0.5.9-21.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
is public now
SUSE-SU-2019:1643-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138302,1138303,1138305 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): libvirt-5.1.0-8.6.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libvirt-5.1.0-8.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libvirt-5.1.0-8.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1686-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138303 CVE References: CVE-2019-10161,CVE-2019-10167 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): libvirt-1.2.18.4-22.13.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): libvirt-1.2.18.4-22.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1690-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1138301 CVE References: CVE-2019-10161 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): libvirt-1.2.5-27.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1672-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1136109,1138301,1138302,1138303 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167 Sources used: openSUSE Leap 15.0 (src): libvirt-4.0.0-lp150.7.18.2
released
openSUSE-SU-2019:1753-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1138301,1138302,1138303,1138305 CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168 Sources used: openSUSE Leap 15.1 (src): libvirt-5.1.0-lp151.7.3.1
SUSE-SU-2019:2105-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1133719,1138301,1138303 CVE References: CVE-2019-10161,CVE-2019-10167 Sources used: SUSE OpenStack Cloud 7 (src): libvirt-2.0.0-27.61.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): libvirt-2.0.0-27.61.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): libvirt-2.0.0-27.61.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): libvirt-2.0.0-27.61.1 SUSE Enterprise Storage 4 (src): libvirt-2.0.0-27.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2227-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1133719,1138301,1138303,1138734 CVE References: CVE-2019-10161,CVE-2019-10167 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): libvirt-3.3.0-5.40.1 SUSE OpenStack Cloud 8 (src): libvirt-3.3.0-5.40.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): libvirt-3.3.0-5.40.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): libvirt-3.3.0-5.40.1 SUSE Enterprise Storage 5 (src): libvirt-3.3.0-5.40.1 HPE Helion Openstack 8 (src): libvirt-3.3.0-5.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2227-2: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1133719,1138301,1138303,1138734 CVE References: CVE-2019-10161,CVE-2019-10167 Sources used: SUSE Linux Enterprise Server 12-SP3-LTSS (src): libvirt-3.3.0-5.40.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): libvirt-3.3.0-5.40.1 SUSE Enterprise Storage 5 (src): libvirt-3.3.0-5.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.