Bug 1138301 - (CVE-2019-10161) VUL-0: CVE-2019-10161: libvirt: api: disallow virDomainSaveImageGetXMLDesc on read-only connections
(CVE-2019-10161)
VUL-0: CVE-2019-10161: libvirt: api: disallow virDomainSaveImageGetXMLDesc on...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: James Fehlig
Security Team bot
https://smash.suse.de/issue/235191/
CVSSv3:SUSE:CVE-2019-10161:7.8:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-14 13:39 UTC by Marcus Meissner
Modified: 2019-09-11 22:11 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2019-10161.patch (2.80 KB, patch)
2019-06-14 13:39 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-06-14 13:39:13 UTC
via libvirt security list, reported by Matthias.

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Comment 1 Marcus Meissner 2019-06-14 13:39:33 UTC
Created attachment 807633 [details]
CVE-2019-10161.patch

CVE-2019-10161.patch
Comment 2 James Fehlig 2019-06-14 21:46:23 UTC
This bug affects all products under general support and LTSS. It falls into the same category as bug#1131595, which was fixed for SLE11 SP3/4, SLE12 SP2/3/4, SLE15 GA/SP1, and TW. I'll do the same for this bug and also include SLE12 SP5.

BTW, when do you prefer the SR to :Update. As soon as I have them ready? When the embargo is lifted? Something in between?
Comment 3 Marcus Meissner 2019-06-15 10:17:33 UTC
Not sure how long the embargo runs, I seems to have missed that...

You can already submit to IBS I would say, we handle the embargoe flexible.
Comment 6 Alexandros Toptsoglou 2019-06-18 09:35:30 UTC
(In reply to James Fehlig from comment #2)
> This bug affects all products under general support and LTSS. SLE12 SP2/3/4, SLE15 GA/SP1, and TW


Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you please have a look on these codestreams as well?
Comment 8 James Fehlig 2019-06-18 20:16:24 UTC
(In reply to Alexandros Toptsoglou from comment #6)
> Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you
> please have a look on these codestreams as well?

The virDomainSaveImageGetXMLDesc API was introduced in libvirt 0.9.4, so those code streams are not affected.
Comment 9 Alexandros Toptsoglou 2019-06-19 08:07:32 UTC
(In reply to James Fehlig from comment #8)
> (In reply to Alexandros Toptsoglou from comment #6)
> > Hi James, SLE11-SP1 and SLE10-SP3 are still under normal support. Could you
> > please have a look on these codestreams as well?
> 
> The virDomainSaveImageGetXMLDesc API was introduced in libvirt 0.9.4, so
> those code streams are not affected.

Hi James, 

I apologize that I come back to you but checking a little bit further I realized that since this is an LTSS worthy bug SLE12:GA and SLE12-SP1 should also receive an update.
Comment 10 James Fehlig 2019-06-19 17:37:06 UTC
(In reply to Alexandros Toptsoglou from comment #9)
> I apologize that I come back to you but checking a little bit further I
> realized that since this is an LTSS worthy bug SLE12:GA and SLE12-SP1 should
> also receive an update.

OK, I submitted to these as well.
Comment 14 Swamp Workflow Management 2019-06-20 17:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1138301) was mentioned in
https://build.opensuse.org/request/show/711170 Factory / libvirt
Comment 15 Swamp Workflow Management 2019-06-21 13:23:44 UTC
SUSE-SU-2019:14097-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1131595,1138301
CVE References: CVE-2019-10161,CVE-2019-3886
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libvirt-1.2.5-23.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvirt-1.2.5-23.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-06-21 13:35:41 UTC
SUSE-SU-2019:1599-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138301,1138302,1138303
CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libvirt-4.0.0-8.15.2
SUSE Linux Enterprise Server 12-SP4 (src):    libvirt-4.0.0-8.15.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    libvirt-4.0.0-8.15.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-06-21 16:12:53 UTC
SUSE-SU-2019:1637-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1136109,1138301,1138302,1138303
CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    libvirt-4.0.0-9.27.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libvirt-4.0.0-9.27.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libvirt-4.0.0-9.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-06-21 16:13:42 UTC
SUSE-SU-2019:14100-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1138301
CVE References: CVE-2019-10161
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libvirt-1.0.5.9-21.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libvirt-1.0.5.9-21.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Alexandros Toptsoglou 2019-06-21 16:16:06 UTC
is public now
Comment 20 Swamp Workflow Management 2019-06-21 16:16:11 UTC
SUSE-SU-2019:1643-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1138301,1138302,1138303,1138305
CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libvirt-5.1.0-8.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2019-06-24 16:16:15 UTC
SUSE-SU-2019:1686-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1138301,1138303
CVE References: CVE-2019-10161,CVE-2019-10167
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libvirt-1.2.18.4-22.13.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libvirt-1.2.18.4-22.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-06-24 19:18:07 UTC
SUSE-SU-2019:1690-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1138301
CVE References: CVE-2019-10161
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    libvirt-1.2.5-27.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2019-06-30 22:21:09 UTC
openSUSE-SU-2019:1672-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1136109,1138301,1138302,1138303
CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167
Sources used:
openSUSE Leap 15.0 (src):    libvirt-4.0.0-lp150.7.18.2
Comment 24 Marcus Meissner 2019-07-01 08:52:19 UTC
released
Comment 26 Swamp Workflow Management 2019-07-20 10:10:27 UTC
openSUSE-SU-2019:1753-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1138301,1138302,1138303,1138305
CVE References: CVE-2019-10161,CVE-2019-10166,CVE-2019-10167,CVE-2019-10168
Sources used:
openSUSE Leap 15.1 (src):    libvirt-5.1.0-lp151.7.3.1
Comment 28 Swamp Workflow Management 2019-08-09 16:12:17 UTC
SUSE-SU-2019:2105-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1133719,1138301,1138303
CVE References: CVE-2019-10161,CVE-2019-10167
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.61.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.61.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.61.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.61.1
SUSE Enterprise Storage 4 (src):    libvirt-2.0.0-27.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2019-08-28 13:17:52 UTC
SUSE-SU-2019:2227-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1133719,1138301,1138303,1138734
CVE References: CVE-2019-10161,CVE-2019-10167
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libvirt-3.3.0-5.40.1
SUSE OpenStack Cloud 8 (src):    libvirt-3.3.0-5.40.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libvirt-3.3.0-5.40.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.40.1
SUSE Enterprise Storage 5 (src):    libvirt-3.3.0-5.40.1
HPE Helion Openstack 8 (src):    libvirt-3.3.0-5.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2019-09-11 22:11:21 UTC
SUSE-SU-2019:2227-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1133719,1138301,1138303,1138734
CVE References: CVE-2019-10161,CVE-2019-10167
Sources used:
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.40.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libvirt-3.3.0-5.40.1
SUSE Enterprise Storage 5 (src):    libvirt-3.3.0-5.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.