On 4/3/19 8:00 AM, Daniel P. Berrangé wrote:
Getting the guest time and hostname both require use of guest agent commands. These must not be allowed for read-only users, so the permissions check must validate "write" permission not "read". Fixes CVE-2019-3886 Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- src/remote/remote_protocol.x | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 74be4b37d0..11f44ee267 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -5513,7 +5513,7 @@ enum remote_procedure {/*** @generate: both - * @acl: domain:read + * @acl: domain:write */ REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,@@ -5908,7 +5908,7 @@ enum remote_procedure { /*** @generate: none - * @acl: domain:read + * @acl: domain:write */ REMOTE_PROC_DOMAIN_GET_TIME = 337,
Reviewed-by: Jim Fehlig <jfehlig@xxxxxxxx> Regards, Jim -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
