CVE-2019-10167

Published: 20 June 2019

The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
libvirt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa)
Released (5.4.0-0ubuntu3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.0.0-1ubuntu8.12)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.3.1-1ubuntu10.27)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26 (5.4)
Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=58f237d696310f3ac62e98b3b5e9cb98e13064e9 (5.0)
Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=93edb0ea630556569320de83d45b100718f1391f (4.6)
Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=585be8edbef5ce4ef30e6c20386358ca1ba8e344 (4.1)
Upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=be5d96d547ec54bc35e5eab6472ec900184ae837 (1.3.1)