CVE-2019-3886

NameCVE-2019-3886
DescriptionAn incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs926418

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)jessie1.2.9-9+deb8u5fixed
jessie (security)1.2.9-9+deb8u7fixed
stretch (security), stretch3.0.0-4+deb9u4fixed
buster5.0.0-4+deb10u1fixed
bullseye5.6.0-2fixed
sid5.6.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsource(unstable)5.0.0-2low926418
libvirtsourcejessie(not affected)
libvirtsourcestretch(not affected)

Notes

[stretch] - libvirt <not-affected> (Vulnerable code not present)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=1694880
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
https://bugzilla.suse.com/show_bug.cgi?id=1131595#c3
Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1)
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60

Search for package or bug name: Reporting problems