摘要:
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an emulatorbin argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
安全等级: Low
公告ID: KylinSec-SA-2022-1824
发布日期: 2022年8月5日
关联CVE: CVE-2019-10167
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an emulatorbin argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2019-10167 | KY3.4-4A | libvirt | Unaffected |
| CVE-2019-10167 | KY3.4-5 | libvirt | Unaffected |
| CVE-2019-10167 | KY3.5.1 | libvirt | Unaffected |
