From 9f447837ae14651d06228ff77ae9196e258ca3f3 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 7 Mar 2017 10:50:25 +0000
Subject: [PATCH] docs: Document vulnerabilities in icoutils wrestool affecting
 libguestfs.

---
 docs/guestfs-security.pod | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/docs/guestfs-security.pod b/docs/guestfs-security.pod
index 5745ce897..8b5cc1fa7 100644
--- a/docs/guestfs-security.pod
+++ b/docs/guestfs-security.pod
@@ -351,6 +351,28 @@ recommendation is that you recompile libguestfs using a version of the
 OCaml compiler where this bug has been fixed (or ask your Linux distro
 to do the same).
 
+=head2 CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333,
+CVE-2017-6009, CVE-2017-6010, CVE-2017-6011
+
+Multiple vulnerabilities in the L<wrestool(1)> program in the
+C<icoutils> package can be exploited for local code execution on the
+host.
+
+When libguestfs inspection (see L</Inspection security> above) detects
+a Windows XP or Windows 7 guest and is asked to find an associated
+icon for the guest, it will download an untrusted file from the guest
+and run C<wrestool -x> on that file.  This can lead to local code
+execution on the host.  Any disk image or guest can be crafted to look
+like a Windows guest to libguestfs inspection, so just because you do
+not have Windows guests does not help.
+
+Any program calling the libguestfs API C<guestfs_inspect_get_icon>
+could be vulnerable.  This includes L<virt-inspector(1)> and
+L<virt-manager(1)>.
+
+The solution is to update to the non-vulnerable version of icoutils
+(at least 0.31.1).
+
 =head1 SEE ALSO
 
 L<guestfs(3)>,