CVE-2020-10701

Name	CVE-2020-10701
Description	A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	955841

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvirt (PTS)	jessie, jessie (lts)	1.2.9-9+deb8u8	fixed
	stretch (security)	3.0.0-4+deb9u5	fixed
	stretch (lts), stretch	3.0.0-4+deb9u6	fixed
	buster (security), buster, buster (lts)	5.0.0-4+deb10u2	fixed
	bullseye	7.0.0-3+deb11u3	fixed
	bookworm	9.0.0-4+deb12u2	fixed
	sid, trixie	10.9.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
libvirt	source	wheezy	(unfixed)	end-of-life
libvirt	source	jessie	(not affected)
libvirt	source	stretch	(not affected)
libvirt	source	buster	(not affected)
libvirt	source	(unstable)	6.0.0-7		955841

Notes

[buster] - libvirt <not-affected> (Vulnerable code introduced later)
[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=95f5ac9ae52455e9da47afc95fa31c9456ac27ae (v5.10.0-rc1)
Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913 (v6.2.0-rc1)