Sorry for missing the importance of these earlier. These vulnerabilities were first disclosed this January. There are seven vulnerabilities reported in the icoutils package, in the 'wrestool' program. Unfortunately because libguestfs downloads untrusted guest content and processes it with 'wrestool -x' on the host, libguestfs is vulnerable to these. This could lead to host local code execution if you run inspection tools (like virt-inspector) on untrusted guests or disk images. Virt-manager is also vulnerable if you have python-libguestfs installed and are running any untrusted guests. The suggested action is to immediately update icoutils to the non-vulnerable version (at least 0.31.1). * CVE-2017-5208 (wrestool): When calling the guestfs_inspect_get_icon API to find the icon associated with Windows XP or Windows 7 guests, libguestfs will run 'wrestool -x ...' on an untrusted file from the guest. wrestool could be exploited to run local code on the host. Note that any guest can "pretend" to look like Windows as far as libguestfs inspection is concerned, so just because you don't have any Windows guests does not help. Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850017 * CVE-2017-6009 (wrestool): Also memory corruption in wrestool, could cause a crash and might be exploitable in other ways. Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854050 * CVE-2017-6010, CVE-2017-6011 (both in wrestool): Also memory corruption in wrestool, could cause a crash and might be exploitable in other ways. Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854054 * CVE-2017-5331, CVE-2017-5332 and CVE-2017-5333 (all in wrestool): These are also all local code execution bugs in wrestool and could be exploited in the same way as above. Upstream fixes for these CVEs: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31... http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff... http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org