CVE-2019-3886

NameCVE-2019-3886
DescriptionAn incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs926418

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)buster5.0.0-4+deb10u1fixed
bullseye7.0.0-3+deb11u2fixed
bookworm9.0.0-4fixed
sid, trixie10.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcejessie(not affected)
libvirtsourcestretch(not affected)
libvirtsource(unstable)5.0.0-2low926418

Notes

[stretch] - libvirt <not-affected> (Vulnerable code not present)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=1694880
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
https://bugzilla.suse.com/show_bug.cgi?id=1131595#c3
Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1)
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60

Search for package or bug name: Reporting problems