[virt-tools-list] SECURITY: Various security issues in icoutils 'wrestool', used by libguestfs

Richard W.M. Jones rjones at redhat.com
Tue Mar 7 10:33:16 UTC 2017 

Sorry for missing the importance of these earlier.  These
vulnerabilities were first disclosed this January.

There are seven vulnerabilities reported in the icoutils package, in
the 'wrestool' program.

Unfortunately because libguestfs downloads untrusted guest content and
processes it with 'wrestool -x' on the host, libguestfs is vulnerable
to these.  This could lead to host local code execution if you run
inspection tools (like virt-inspector) on untrusted guests or disk
images.

Virt-manager is also vulnerable if you have python-libguestfs
installed and are running any untrusted guests.

The suggested action is to immediately update icoutils to the
non-vulnerable version (at least 0.31.1).

* CVE-2017-5208 (wrestool):

When calling the guestfs_inspect_get_icon API to find the icon
associated with Windows XP or Windows 7 guests, libguestfs will run
'wrestool -x ...' on an untrusted file from the guest.  wrestool could
be exploited to run local code on the host.

Note that any guest can "pretend" to look like Windows as far as
libguestfs inspection is concerned, so just because you don't have any
Windows guests does not help.

Original bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850017

* CVE-2017-6009 (wrestool):

Also memory corruption in wrestool, could cause a crash and might be
exploitable in other ways.  Original bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854050

* CVE-2017-6010, CVE-2017-6011 (both in wrestool):

Also memory corruption in wrestool, could cause a crash and might be
exploitable in other ways.  Original bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854054

* CVE-2017-5331, CVE-2017-5332 and CVE-2017-5333 (all in wrestool):

These are also all local code execution bugs in wrestool and could be
exploited in the same way as above.

Upstream fixes for these CVEs:
http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3
http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the virt-tools-list mailing list