[Libguestfs] CVE-2010-3851 libguestfs: missing disk format specifier when adding a disk

Richard W.M. Jones rjones at redhat.com
Tue Oct 19 11:37:19 UTC 2010

(This bug was found by Matthew Booth during routine code review)

We found a security issue which affects libguestfs programs in some
circumstances.  Since we don't pass the disk format through to qemu, a
malicious guest backed by raw-format storage might craft a qcow2
header into its own disk.  QEmu would interpret this, and qcow2 offers
a wide range of features such as accessing arbitrary backing files
from the host, allowing the guest to read a host file (under rather
narrow conditions, see below).

All versions of virt-v2v are vulnerable.  virt-inspector is vulnerable
for versions <= 1.5.3.  Other programs that use libguestfs may be

You should review the bug below carefully to find out if you could be
affected, particularly the Description and Comment 1:


A CVE has been allocated to this bug:


No fix is available at present, but we are working on one.  In the
meantime, avoid using libguestfs / tools on:

 - untrusted, malicious guests that use raw-format storage
 - where you are running commands from these guests


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)

More information about the Libguestfs mailing list