CVE-2020-10701

Name	CVE-2020-10701
Description	A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	955841

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvirt (PTS)	buster	5.0.0-4+deb10u1	fixed
	bullseye	7.0.0-3	fixed
	bookworm, sid	9.0.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
libvirt	source	jessie	(not affected)
libvirt	source	stretch	(not affected)
libvirt	source	buster	(not affected)
libvirt	source	(unstable)	6.0.0-7	955841

Notes

[buster] - libvirt <not-affected> (Vulnerable code introduced later)
[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=95f5ac9ae52455e9da47afc95fa31c9456ac27ae (v5.10.0-rc1)
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913 (v6.2.0-rc1)