[Pkg-libvirt-maintainers] Bug#1120584: Bug#1120584: libvirt: CVE-2025-12748
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 14 20:35:34 GMT 2025
Hi Andrea,
On Fri, Nov 14, 2025 at 12:30:00AM +0100, Andrea Bolognani wrote:
> Control: tags -1 upstream fixed-upstream
> Control: found -1 libvirt/11.3.0-3
>
> On Wed, Nov 12, 2025 at 08:14:46PM +0100, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for libvirt.
> >
> > CVE-2025-12748[0]:
> > | A flaw was discovered in libvirt in the XML file processing. More
> > | specifically, the parsing of user provided XML files was performed
> > | before the ACL checks. A malicious user with limited permissions
> > | could exploit this flaw by submitting a specially crafted XML file,
> > | causing libvirt to allocate too much memory on the host. The
> > | excessive memory consumption could lead to a libvirt process crash
> > | on the host, resulting in a denial-of-service condition.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2025-12748
> > https://www.cve.org/CVERecord?id=CVE-2025-12748
> > [1] https://gitlab.com/libvirt/libvirt/-/issues/825
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Fixed upstream with the following commits:
>
> 2a326c415a qemu: Check ACLs before parsing the whole domain XML
> eb4322dfe8 ch: Check ACLs before parsing the whole domain XML
> 7285c10a7e vz: Check ACLs before parsing the whole domain XML
> a6dcfee896 lxc: Check ACLs before parsing the whole domain XML
> a1f48bca07 libxl: Check ACLs before parsing the whole domain XML
> b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML
> e6de1e43ab conf: Add virDomainDefIDsParseString
>
> I'm going to prepare a backport targeting both sid and stable, fixing
> both this and #1120119, in the next few days.
>
> Will the Security Team take care of oldstable and oldoldstable?
Given this requires an authenticated user (please correct me if I got
it wrong, but see as well discussion in the upstream issue): I do not
think we would need a DSA for this issue. Can you prepare the update
to be included in a future point release?
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list