Common Vulnerabilities and Exposures

[Previous] [Index] [Next]

Upstream information

CVE-2013-4419 at MITRE


The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance.

NVD CVSS v2 Base Score: 6.8 (AV:A/AC:H/Au:N/C:C/I:C/A:C)

SUSE information

SUSE Bugzilla entry: 845720

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Software Development Kit 11 SP3
  • libguestfs-devel >= 1.20.4-0.18.1
SAT Patch Nr: 8465
SUSE Linux Enterprise Server 11 SP3
  • guestfs-data >= 1.20.4-0.18.1
  • guestfs-tools >= 1.20.4-0.18.1
  • guestfsd >= 1.20.4-0.18.1
  • libguestfs0 >= 1.20.4-0.18.1
SAT Patch Nr: 8465