Patch for Jessie version attached. Patch is applied by hand from https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
I am a bit concerned this patch only patches the virDomainGetHostname function and not the virDomainGetTime function, while the tests (which I suspect are not run in the Debian build) appears to patch both. As such I suspect this might be incomplete as is. -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog --- libvirt-1.2.9/debian/changelog 2018-03-13 06:51:52.000000000 +1100 +++ libvirt-1.2.9/debian/changelog 2019-04-08 17:29:21.000000000 +1000 @@ -1,3 +1,11 @@ +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2019-3886: Ensure get hostname and get time RPC calls require write + access. + + -- Brian May <b...@debian.org> Mon, 08 Apr 2019 17:29:21 +1000 + libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high * Switch gbp.conf to jessie diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 1970-01-01 10:00:00.000000000 +1000 +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 2019-04-08 17:29:08.000000000 +1000 @@ -0,0 +1,31 @@ +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -20994,6 +20994,8 @@ + virResetLastError(); + + virCheckDomainReturn(domain, NULL); ++ virCheckReadOnlyGoto(domain->conn->flags, error); ++ + conn = domain->conn; + + if (conn->driver->domainGetHostname) { +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -5049,7 +5049,7 @@ + + /** + * @generate: both +- * @acl: domain:read ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277, + +@@ -5444,7 +5444,7 @@ + + /** + * @generate: none +- * @acl: domain:read ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_GET_TIME = 337, + diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series --- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.000000000 +1100 +++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:25:13.000000000 +1000 @@ -37,3 +37,4 @@ upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch +CVE-2019-3886.patch