[Pkg-libvirt-maintainers] Bug#1120584: Bug#1120584: libvirt: CVE-2025-12748
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 15 08:59:50 GMT 2025
Hi Andrea,
On Fri, Nov 14, 2025 at 11:04:06PM +0100, Andrea Bolognani wrote:
> On Fri, Nov 14, 2025 at 09:35:34PM +0100, Salvatore Bonaccorso wrote:
> > On Fri, Nov 14, 2025 at 12:30:00AM +0100, Andrea Bolognani wrote:
> > > Fixed upstream with the following commits:
> > >
> > > 2a326c415a qemu: Check ACLs before parsing the whole domain XML
> > > eb4322dfe8 ch: Check ACLs before parsing the whole domain XML
> > > 7285c10a7e vz: Check ACLs before parsing the whole domain XML
> > > a6dcfee896 lxc: Check ACLs before parsing the whole domain XML
> > > a1f48bca07 libxl: Check ACLs before parsing the whole domain XML
> > > b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML
> > > e6de1e43ab conf: Add virDomainDefIDsParseString
> > >
> > > I'm going to prepare a backport targeting both sid and stable, fixing
> > > both this and #1120119, in the next few days.
> > >
> > > Will the Security Team take care of oldstable and oldoldstable?
> >
> > Given this requires an authenticated user (please correct me if I got
> > it wrong, but see as well discussion in the upstream issue): I do not
> > think we would need a DSA for this issue.
>
> Yes, the problematic parsing happened before ACL checks could run and
> confirm that the user was allowed to invoke the specific libvirt API,
> but prior authentication (e.g. libvirt group membership) would have
> been necessary to establish a connection to libvirtd in the first
> place. So a random unauthenticated user of the system wouldn't have
> been able to exploit the flaw.
Thanks for clarifying it explicitly.
> > Can you prepare the update
> > to be included in a future point release?
>
> To clarify, we're talking about a future *trixie* point release,
> right?
Yes, it is too late for 13.2 itself, which is happening in a few
minutes. We can queue this and other already and then still build on
top of it in case we need a DSA for other issues (I'm not aware of any
right now which might warrant one, althoug there is as well the
snapshot related issue so far).
Regards,
Salvatore
More information about the Pkg-libvirt-maintainers
mailing list