CVE-2019-10168 (retired)

Priority
Description
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU()
libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an
"emulator" argument to specify the program providing emulation for a
domain. Since v1.2.19, libvirt will execute that program to probe the
domain's capabilities. Read-only clients could specify an arbitrary path
for this argument, causing libvirtd to execute a crafted executable with
its own privileges.
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):released (5.0.0-1ubuntu2.4)
Ubuntu 19.10 (Eoan):released (5.4.0-0ubuntu3)
Patches:
Upstream:https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291 (5.4)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=1ef98539a655109480628c91feac48c3c69675ef (5.0)
Upstream:http://libvirt.org/git/?p=libvirt.git;a=commit;h=890965e8943a8837b41c3c6f366135ccfef48fb3 (4.6)
More Information

Updated: 2019-08-07 16:15:14 UTC (commit 87d6602658b8a25c6878e6e39e6fd71d74b8d0f5)