Control: tags -1 upstream fixed-upstream Control: found -1 libvirt/11.3.0-3
On Wed, Nov 12, 2025 at 08:14:46PM +0100, Salvatore Bonaccorso wrote: > The following vulnerability was published for libvirt. > > CVE-2025-12748[0]: > | A flaw was discovered in libvirt in the XML file processing. More > | specifically, the parsing of user provided XML files was performed > | before the ACL checks. A malicious user with limited permissions > | could exploit this flaw by submitting a specially crafted XML file, > | causing libvirt to allocate too much memory on the host. The > | excessive memory consumption could lead to a libvirt process crash > | on the host, resulting in a denial-of-service condition. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-12748 > https://www.cve.org/CVERecord?id=CVE-2025-12748 > [1] https://gitlab.com/libvirt/libvirt/-/issues/825 > > Please adjust the affected versions in the BTS as needed. Fixed upstream with the following commits: 2a326c415a qemu: Check ACLs before parsing the whole domain XML eb4322dfe8 ch: Check ACLs before parsing the whole domain XML 7285c10a7e vz: Check ACLs before parsing the whole domain XML a6dcfee896 lxc: Check ACLs before parsing the whole domain XML a1f48bca07 libxl: Check ACLs before parsing the whole domain XML b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML e6de1e43ab conf: Add virDomainDefIDsParseString I'm going to prepare a backport targeting both sid and stable, fixing both this and #1120119, in the next few days. Will the Security Team take care of oldstable and oldoldstable? Thanks. -- Andrea Bolognani <[email protected]> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
