[virt-tools-list] SECURITY: Various security issues in icoutils 'wrestool', used by libguestfs

Richard W.M. Jones rjones at redhat.com
Tue Mar 7 10:33:16 UTC 2017

Sorry for missing the importance of these earlier.  These
vulnerabilities were first disclosed this January.

There are seven vulnerabilities reported in the icoutils package, in
the 'wrestool' program.

Unfortunately because libguestfs downloads untrusted guest content and
processes it with 'wrestool -x' on the host, libguestfs is vulnerable
to these.  This could lead to host local code execution if you run
inspection tools (like virt-inspector) on untrusted guests or disk

Virt-manager is also vulnerable if you have python-libguestfs
installed and are running any untrusted guests.

The suggested action is to immediately update icoutils to the
non-vulnerable version (at least 0.31.1).

* CVE-2017-5208 (wrestool):

When calling the guestfs_inspect_get_icon API to find the icon
associated with Windows XP or Windows 7 guests, libguestfs will run
'wrestool -x ...' on an untrusted file from the guest.  wrestool could
be exploited to run local code on the host.

Note that any guest can "pretend" to look like Windows as far as
libguestfs inspection is concerned, so just because you don't have any
Windows guests does not help.

Original bug report:


* CVE-2017-6009 (wrestool):

Also memory corruption in wrestool, could cause a crash and might be
exploitable in other ways.  Original bug report:


* CVE-2017-6010, CVE-2017-6011 (both in wrestool):

Also memory corruption in wrestool, could cause a crash and might be
exploitable in other ways.  Original bug report:


* CVE-2017-5331, CVE-2017-5332 and CVE-2017-5333 (all in wrestool):

These are also all local code execution bugs in wrestool and could be
exploited in the same way as above.

Upstream fixes for these CVEs:


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the virt-tools-list mailing list