File CVE-2019-3886-api.patch of Package libvirt.11700
commit 69f94df6afe2ea8e2034903d6423c783e0c535e8
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed Apr 3 15:00:49 2019 +0100
api: disallow virDomainGetHostname for read-only connections
The virDomainGetHostname API is fetching guest information and this may
involve use of an untrusted guest agent. As such its use must be
forbidden on a read-only connection to libvirt.
Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.1.0/src/libvirt-domain.c
===================================================================
--- libvirt-5.1.0.orig/src/libvirt-domain.c
+++ libvirt-5.1.0/src/libvirt-domain.c
@@ -11031,6 +11031,8 @@ virDomainGetHostname(virDomainPtr domain
virCheckDomainReturn(domain, NULL);
conn = domain->conn;
+ virCheckReadOnlyGoto(domain->conn->flags, error);
+
if (conn->driver->domainGetHostname) {
char *ret;
ret = conn->driver->domainGetHostname(domain, flags);