| Name | CVE-2019-3886 |
| Description | An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 926418 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libvirt (PTS) | jessie, jessie (lts) | 1.2.9-9+deb8u8 | fixed |
| stretch (security) | 3.0.0-4+deb9u5 | fixed |
| stretch (lts), stretch | 3.0.0-4+deb9u6 | fixed |
| buster (security), buster, buster (lts) | 5.0.0-4+deb10u2 | fixed |
| bullseye | 7.0.0-3+deb11u3 | fixed |
| bookworm | 9.0.0-4+deb12u2 | fixed |
| sid, trixie | 10.9.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libvirt | source | wheezy | (not affected) | | | |
| libvirt | source | jessie | (not affected) | | | |
| libvirt | source | stretch | (not affected) | | | |
| libvirt | source | (unstable) | 5.0.0-2 | low | | 926418 |
Notes
[stretch] - libvirt <not-affected> (Vulnerable code not present)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=1694880
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
https://bugzilla.suse.com/show_bug.cgi?id=1131595#c3
Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1)
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60
[wheezy] - libvirt <not-affected> (Vulnerable code not present)