[Pkg-libvirt-commits] [libguestfs] 03/59: Document three (fixed) security problems in the main manual page.

Hilko Bengen bengen at moszumanska.debian.org
Wed Nov 26 22:04:02 UTC 2014 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch master
in repository libguestfs.

commit ae4b3224ec2efb36529ab5158c17d9e777d98e4a
Author: Richard W.M. Jones <rjones at redhat.com>
Date:   Mon Oct 27 17:50:58 2014 +0000

    Document three (fixed) security problems in the main manual page.
    
    Previously these were only covered in the release notes, but not in
    the "SECURITY" section of guestfs(3).
    
    (cherry picked from commit 7f7c15334722b975722e43ccd5308fc74a4ad453)
---
 src/guestfs.pod | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/guestfs.pod b/src/guestfs.pod
index 8d86014..2775864 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -2172,6 +2172,41 @@ sockets owned by another user's guestfish client or server.
 It is sufficient to update libguestfs to a version that is not
 vulnerable: libguestfs E<ge> 1.20.12, E<ge> 1.22.7 or E<ge> 1.24.
 
+=head2 Denial of service when inspecting disk images with corrupt btrfs volumes
+
+It was possible to crash libguestfs (and programs that use libguestfs
+as a library) by presenting a disk image containing a corrupt btrfs
+volume.
+
+This was caused by a NULL pointer dereference causing a denial of
+service, and is not thought to be exploitable any further.
+
+See commit d70ceb4cbea165c960710576efac5a5716055486 for the fix.  This
+fix is included in libguestfs stable branches S<E<ge> 1.26.0>, S<E<ge>
+1.24.6> and S<E<ge> 1.22.8>, and also in RHEL S<E<ge> 7.0>.
+Earlier versions of libguestfs are not vulnerable.
+
+=head2 CVE-2014-0191
+
+Libguestfs previously used unsafe libxml2 APIs for parsing libvirt
+XML.  These APIs defaulted to allowing network connections to be made
+when certain XML documents were presented.  Using a malformed XML
+document it was also possible to exhaust all CPU, memory or file
+descriptors on the machine.
+
+Since the libvirt XML comes from a trusted source (the libvirt daemon)
+it is not thought that this could have been exploitable.
+
+This was fixed in libguestfs E<ge> 1.27.9 and the fix was backported
+to stable versions E<ge> 1.26.2, E<ge> 1.24.9, E<ge> 1.22.10 and E<ge>
+1.20.13.
+
+=head2 Shellshock (bash CVE-2014-6271)
+
+This bash bug indirectly affects libguestfs.  For more information
+see:
+L<https://www.redhat.com/archives/libguestfs/2014-September/msg00252.html>
+
 =head2 CVE-2014-8484
 
 =head2 CVE-2014-8485

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git

More information about the Pkg-libvirt-commits mailing list