[Pkg-libvirt-maintainers] Bug#701649: Fix for stable

Guido Günther agx at sigxcpu.org
Fri Mar 15 09:30:08 UTC 2013


On Fri, Mar 15, 2013 at 10:17:29AM +0100, Guido Günther wrote:
> On Fri, Mar 15, 2013 at 08:15:15AM +0100, Yves-Alexis Perez wrote:
> > On sam., 2013-03-09 at 19:54 +0100, Guido Günther wrote:
> > > Hi,
> > > sorry for the delay but attached is the diff for the stable update.
> > > This
> > > addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of
> > > CVE-2013-0170). Is this enough for the security team to issue the DSA?
> > > Let me know if I can help further.
> > 
> > Just a comment. Does the package still need to create/remove the kvm
> > group? Shouldn't only the kvm package do that?
> 
> I think so. We need to put the user in that group to access /dev/kvm.
> We could use a trigger but that would certainly be more fragile.
> 
> > What about the permissions on devices (there's something abou tit on the
> > bug report)?
> 
> Devices will be changed to libvirt-qemu:libvirt-qemu when accessed to
> make sure the process has the necessary permission.

Permissions of disks are currently set to 0600.
 -- Guido

> Cheers,
>  -- Guido



More information about the Pkg-libvirt-maintainers mailing list