MiracleLinux 4 : libguestfs-1.16.19-1.0.1.AXS4 (AXSA:2012-585:02)

🗓️ 14 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 4 update fixes CVE-2012-2690 in libguestfs causing world-readable edits.

Reporter	Title	Published	Views	Family All 23
Tenable Nessus	CentOS 6 : libguestfs (CESA-2012:0774)	11 Jul 201200:00	–	nessus
Tenable Nessus	Oracle Linux 6 : libguestfs (ELSA-2012-0774)	12 Jul 201300:00	–	nessus
Tenable Nessus	RHEL 6 : libguestfs (RHSA-2012:0774)	24 Jan 201300:00	–	nessus
Tenable Nessus	Scientific Linux Security Update : libguestfs on SL6.x x86_64 (20120620)	1 Aug 201200:00	–	nessus
Cent OS	libguestfs, ocaml, perl, python, ruby security update	10 Jul 201217:21	–	centos
CVE	CVE-2012-2690	29 Jun 201219:00	–	cve
Cvelist	CVE-2012-2690	29 Jun 201219:00	–	cvelist
Debian CVE	CVE-2012-2690	29 Jun 201219:00	–	debiancve
Oracle linux	libguestfs security, bug fix, and enhancement update	27 Jun 201200:00	–	oraclelinux
EUVD	EUVD-2012-2672	7 Oct 202500:30	–	euvd

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/3100
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2012-585:02.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284001);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/14");

  script_cve_id("CVE-2012-2690");

  script_name(english:"MiracleLinux 4 : libguestfs-1.16.19-1.0.1.AXS4 (AXSA:2012-585:02)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the
AXSA:2012-585:02 advisory.

    Libguestfs is a library for accessing and modifying guest disk images. Amongst the things this is good
    for: making batch configuration changes to guests, getting disk used/free statistics (see also: virt-df),
    migrating between virtualization systems (see also: virt-p2v), performing partial backups, performing
    partial guest clones, cloning guests and changing registry/UUID/hostname info, and much else besides.
    Libguestfs uses Linux kernel and qemu code, and can access any type of guest filesystem that Linux and
    qemu can, including but not limited to: ext2/3/4, btrfs, FAT and NTFS, LVM, many different disk partition
    schemes, qcow, qcow2, vmdk.
    Libguestfs provides ways to enumerate guest storage (eg. partitions, LVs, what filesystem is in each LV,
    etc.). It can also run commands in the context of the guest.
    Libguestfs is a library that can be linked with C and C++ management programs.
     See also the 'guestfish' package for shell scripting and command line access, and 'libguestfs-mount' for
    mounting guest filesystems on the host using FUSE.
     For Perl bindings, see 'perl-Sys-Guestfs'.
     For OCaml bindings, see 'ocaml-libguestfs-devel'.
     For Python bindings, see 'python-libguestfs'.
     For Ruby bindings, see 'ruby-libguestfs'.
     For Java bindings, see 'libguestfs-java-devel'.
    Security issues fixed with this release:
     CVE-2012-2690
    virt-edit in libguestfs before 1.18.0 does not preserve the permissions from the original file and saves
    the new file with world-readable permissions when editing, which might allow local guest users to obtain
    sensitive information.
    Bug Fixes
     Previously, the virt-clone would adopt some of the properties of the original virtual machine (for
    example, the clone was created with a NIC identical to the original VM's). This has been solved by 2 new
    tools: virt-sysprep and virt-sparsify. Virt-sysprep can erase the guest state; virt-sparsify can make the
    image sparse. Both these tools should be used instead of or in conjunction with virt-clone.
     When trying to mount a non-existent disk, the libguestfs daemon crashed. This has been fixed, a error
    message is returned and libguestfs does not crash.
     The library containing the guestfs_launch() function has been modified to be thread-safe: two threads
    from the same program can now access the library.
     After a block device was closed, the udev device manager re-opened the block device through a triggered
    process. libguestfs operations would then fail, as they expect the disk being available for the kernel to
    re-read the partition table. This has been fixed: operations now wait for udev to finish.
     Fedora 17 and newer use a symbolic link for the /bin directory. libguestfs has been modified to handle
    such guests.
     Any disk containing autoexec.bat, boot.ini or the ntdlr file in its root would appear as a Windows root
    disk for libguestfs. HP recovery partitions were not recognized and libguestfs handled the system as dual-
    boot, so some virt tools did not work. This has been fixed and HP recovery partitions are not seen as a
    Windows root disk.
     Fixed libguestfs error string handling and Python programs no longer terminate with a segmentation fault
    when calling the g.launch()function.
    Enhancements
     Added the virt-alignment-scan tool and updated virt-resize. Guest partitions can now be diagnosed and
    their problems fixed, which imporves the partition performance.
     libguestfs operations can now handle HP Smart Array (cciss) devices. The virt-p2v tool can now convert
    systems that use Linux software RAID devices to run in a VM.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/3100");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2690");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"Moderate");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-java");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libguestfs-tools-c");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:perl-Sys-Guestfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:python-libguestfs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'libguestfs-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-java-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-tools-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libguestfs-tools-c-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'perl-Sys-Guestfs-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'python-libguestfs-1.16.19-1.0.1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libguestfs / libguestfs-java / libguestfs-tools / etc');
}

14 Jan 2026 00:00Current

5.4Medium risk

Vulners AI Score5.4

CVSS 22.1

EPSS0.0005