MiracleLinux 4 : libguestfs-1.7.17-17.0.1.AXS4 (AXSA:2011-500:01)

🗓️ 14 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 4 updates libguestfs to fix CVE-2010-3851 and related issues.

Reporter	Title	Published	Views	Family All 24
CVE	CVE-2010-3851	4 Nov 201017:00	–	cve
Cvelist	CVE-2010-3851	4 Nov 201017:00	–	cvelist
Oracle linux	libguestfs security, bug fix, and enhancement update	29 May 201100:00	–	oraclelinux
EUVD	EUVD-2010-3830	7 Oct 202500:30	–	euvd
Fedora	[SECURITY] Fedora 13 Update: libguestfs-1.6.0-1.fc13.1	11 Nov 201022:20	–	fedora
Fedora	[SECURITY] Fedora 14 Update: libguestfs-1.5.23-1	2 Nov 201022:16	–	fedora
Tenable Nessus	Fedora 14 : libguestfs-1.5.23-1 (2010-16835)	3 Nov 201000:00	–	nessus
Tenable Nessus	Fedora 13 : libguestfs-1.6.0-1.fc13.1 (2010-17202)	12 Nov 201000:00	–	nessus
Tenable Nessus	Oracle Linux 6 : libguestfs (ELSA-2011-0586)	7 Sep 202300:00	–	nessus
Tenable Nessus	RHEL 6 : libguestfs (RHSA-2011:0586)	24 Jan 201300:00	–	nessus

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/2215
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2011-500:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284418);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/14");

  script_cve_id("CVE-2010-3851");

  script_name(english:"MiracleLinux 4 : libguestfs-1.7.17-17.0.1.AXS4 (AXSA:2011-500:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the
AXSA:2011-500:01 advisory.

    Libguestfs is a library for accessing and modifying guest disk images.
    Amongst the things this is good for: making batch configuration changes to guests, getting disk used/free
    statistics (see also: virt-df), migrating between virtualization systems (see also: virt-p2v), performing
    partial backups, performing partial guest clones, cloning guests and changing registry/UUID/hostname info,
    and much else besides.
    Libguestfs uses Linux kernel and qemu code, and can access any type of guest filesystem that Linux and
    qemu can, including but not limited to: ext2/3/4, btrfs, FAT and NTFS, LVM, many different disk partition
    schemes, qcow, qcow2, vmdk.
    Libguestfs provides ways to enumerate guest storage (eg. partitions, LVs, what filesystem is in each LV,
    etc.).  It can also run commands in the context of the guest.
    Libguestfs is a library that can be linked with C and C++ management programs.
    See also the 'guestfish' package for shell scripting and command line access, and 'libguestfs-mount' for
    mounting guest filesystems on the host using FUSE.
    For Perl bindings, see 'perl-Sys-Guestfs'.
    For OCaml bindings, see 'ocaml-libguestfs-devel'.
    For Python bindings, see 'python-libguestfs'.
    For Ruby bindings, see 'ruby-libguestfs'.
    For Java bindings, see 'libguestfs-java-devel'.
    Security issues fixed with this release
    CVE-2010-3851
    libguestfs before 1.5.23, as used in virt-v2v, virt-inspector 1.5.3 and earlier, and possibly other
    products, when a raw-format disk image is used, allows local guest OS administrators to read files from
    the host via a crafted (1) qcow2, (2) VMDK, or (3) VDI header, related to lack of support for a disk
    format specifier.
    This update also upgrades libguestfs to upstream version 1.7.17, which includes a number of bug fixes and
    enhancements, too many to list here. Please refer to the changelog.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/2215");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3851");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/12/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-java");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-mount");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-tools-c");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:perl-Sys-Guestfs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'libguestfs-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-java-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-mount-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-tools-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-tools-c-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'perl-Sys-Guestfs-1.7.17-17.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libguestfs / libguestfs-java / libguestfs-mount / libguestfs-tools / etc');
}

14 Jan 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 24.7

EPSS0.00088