[Pkg-libvirt-maintainers] Bug#1120584: Bug#1120584: libvirt: CVE-2025-12748
Andrea Bolognani
eof at kiyuko.org
Fri Nov 14 22:04:06 GMT 2025
On Fri, Nov 14, 2025 at 09:35:34PM +0100, Salvatore Bonaccorso wrote:
> On Fri, Nov 14, 2025 at 12:30:00AM +0100, Andrea Bolognani wrote:
> > Fixed upstream with the following commits:
> >
> > 2a326c415a qemu: Check ACLs before parsing the whole domain XML
> > eb4322dfe8 ch: Check ACLs before parsing the whole domain XML
> > 7285c10a7e vz: Check ACLs before parsing the whole domain XML
> > a6dcfee896 lxc: Check ACLs before parsing the whole domain XML
> > a1f48bca07 libxl: Check ACLs before parsing the whole domain XML
> > b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML
> > e6de1e43ab conf: Add virDomainDefIDsParseString
> >
> > I'm going to prepare a backport targeting both sid and stable, fixing
> > both this and #1120119, in the next few days.
> >
> > Will the Security Team take care of oldstable and oldoldstable?
>
> Given this requires an authenticated user (please correct me if I got
> it wrong, but see as well discussion in the upstream issue): I do not
> think we would need a DSA for this issue.
Yes, the problematic parsing happened before ACL checks could run and
confirm that the user was allowed to invoke the specific libvirt API,
but prior authentication (e.g. libvirt group membership) would have
been necessary to establish a connection to libvirtd in the first
place. So a random unauthenticated user of the system wouldn't have
been able to exploit the flaw.
> Can you prepare the update
> to be included in a future point release?
To clarify, we're talking about a future *trixie* point release,
right?
Thanks.
--
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20251114/182203d4/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list