Re: libvirt / CVE-2019-3886

To: Guido Günther <agx@sigxcpu.org>
Cc: debian-lts@lists.debian.org
Subject: Re: libvirt / CVE-2019-3886
From: Brian May <bam@debian.org>
Date: Tue, 09 Apr 2019 17:16:47 +1000
Message-id: <[🔎] 871s2bejhc.fsf@silverfish.pri>
In-reply-to: <[🔎] 20190408100108.GA10558@bogon.m.sigxcpu.org>
References: <[🔎] 87bm1hdjft.fsf@silverfish.pri> <[🔎] 20190408100108.GA10558@bogon.m.sigxcpu.org>

Guido Günther <agx@sigxcpu.org> writes:

> I don't think this is needed for jessie since the corresponding function
> in qemu was implemented in 4.8.0.

Sounds like it won't hurt to leave this in, in any case...

> qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
> affected as well. The corresponding virDomainGetTime has no read only
> check so this could be an issue (but should likely use a different
> CVE). This was upstream fixed in
>
>     506e9d6c2d4baaf580d489fff0690c0ff2ff588f

Ok, so it does sound like I should make this change too.

Like it or not, I suspect CVE-2019-3886 might be getting used for both
issues.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: libvirt / CVE-2019-3886
  - From: Brian May <bam@debian.org>
- Re: libvirt / CVE-2019-3886
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- libvirt / CVE-2019-3886
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: libvirt / CVE-2019-3886
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: more missing DLAs on the website
Next by Date: Re: LTS, no-dsa reasoning and sponsored packages
Previous by thread: Re: libvirt / CVE-2019-3886
Next by thread: Re: libvirt / CVE-2019-3886
Index(es):
- Date
- Thread