[Pkg-libvirt-maintainers] Bug#1120119: Bug#1120119: libvirt-daemon: data leak for new offline snapshots

Andrea Bolognani eof at kiyuko.org
Thu Nov 13 23:17:56 GMT 2025 

Control: tags -1 upstream fixed-upstream

On Wed, Nov 05, 2025 at 06:19:39PM +0100, Sylvain Beucler wrote:
> When creating snapshots for shut-down VMs, using virt-manager or virsh,
> e.g.:
> virsh snapshot-create-as --domain bookworm-oldstable --name snap1
> --disk-only --diskspec
> vda,snapshot=external,file=/var/lib/libvirt/images/myvm.snap1
> 
> then the snapshot is world-readable (644):
> # ls -lh /var/lib/libvirt/images/bookworm-oldstable.snap1
> -rw-r--r-- 1 root root 193K  5 nov.  17:40
> /var/lib/libvirt/images/myvm.snap1
> 
> by any user:
> # su - nobody -s /bin/sh -c 'hd -n 8 /var/lib/libvirt/images/myvm.snap1'
> 00000000  51 46 49 fb 00 00 00 03                           |QFI.....|
> 
> (This doesn't happen for running VMs where permission is correctly 600.)
> 
> Such snapshots also stay world-readable after running the VM, allowing all
> local users to access the new data, which is a grave data leak.

Thanks for the report.

A fix has been merged upstream today:

  commit a379327d8abcde8ac8d3e16fe5e4ba6f790d767a
  Author: Peter Krempa <pkrempa at redhat.com>
  Date:   Wed Nov 12 17:52:05 2025 +0100

    qemu: snapshot: Set umask for 'qemu-img' when creating external inactive snapshots
    
    External inactive snapshots are created by invoking 'qemu-img' which
    creates the file. Currently qemu-img creates image with mode 644 based
    on default umask as libvirt doesn't set any.
    
    Having a world-readable image is obviously wrong so set the umask to
    077 to have the file readable only by the owner.
    
    Resolves: https://bugs.debian.org/1120119
    Signed-off-by: Peter Krempa <pkrempa at redhat.com>

  https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a

I will prepare a backport within a few days.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20251114/f830d1d6/attachment-0001.sig>

More information about the Pkg-libvirt-maintainers mailing list