[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libvirt / CVE-2019-3886



On Tue, Apr 09, 2019 at 05:16:47PM +1000, Brian May wrote:
> Guido Günther <agx@sigxcpu.org> writes:
> 
> > I don't think this is needed for jessie since the corresponding function
> > in qemu was implemented in 4.8.0.
> 
> Sounds like it won't hurt to leave this in, in any case...
> 
> > qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
> > affected as well. The corresponding virDomainGetTime has no read only
> > check so this could be an issue (but should likely use a different
> > CVE). This was upstream fixed in
> >
> >     506e9d6c2d4baaf580d489fff0690c0ff2ff588f
> 
> Ok, so it does sound like I should make this change too.
> 
> Like it or not, I suspect CVE-2019-3886 might be getting used for both
> issues.

We're tracking at as it's currently assigned by MITRE and it's their usual
practice to split out secondary angles to a separate CVE ID. As such, you
should rather reach out to them via https://cveform.mitre.org and request
a separate ID for the part that affects 1.2.x as well.

Cheers,
        Moritz


Reply to: