CVE-2010-3851 Information

Description

libguestfs before 1.5.23 as used in virt-v2v virt-inspector 1.5.3 and earlier and possibly other products when a raw-format disk image is used allows local guest OS administrators to read files from the host via a crafted (1) qcow2 (2) VMDK or (3) VDI header related to lack of support for a disk format specifier.

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050237.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050742.html http://rwmj.wordpress.com/2010/10/23/new-libguestfs-stable-versions/ http://secunia.com/advisories/41797 http://secunia.com/advisories/42235 http://www.redhat.com/support/errata/RHSA-2011-0586.html http://www.securityfocus.com/bid/44166 http://www.vupen.com/english/advisories/2010/2874 http://www.vupen.com/english/advisories/2010/2963 https://bugzilla.redhat.com/show_bug.cgi?id=643958 https://www.redhat.com/archives/libguestfs/2010-October/msg00036.html https://www.redhat.com/archives/libguestfs/2010-October/msg00037.html https://www.redhat.com/archives/libguestfs/2010-October/msg00041.html