Hi Andrea, On Fri, Nov 14, 2025 at 12:30:00AM +0100, Andrea Bolognani wrote: > Control: tags -1 upstream fixed-upstream > Control: found -1 libvirt/11.3.0-3 > > On Wed, Nov 12, 2025 at 08:14:46PM +0100, Salvatore Bonaccorso wrote: > > The following vulnerability was published for libvirt. > > > > CVE-2025-12748[0]: > > | A flaw was discovered in libvirt in the XML file processing. More > > | specifically, the parsing of user provided XML files was performed > > | before the ACL checks. A malicious user with limited permissions > > | could exploit this flaw by submitting a specially crafted XML file, > > | causing libvirt to allocate too much memory on the host. The > > | excessive memory consumption could lead to a libvirt process crash > > | on the host, resulting in a denial-of-service condition. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-12748 > > https://www.cve.org/CVERecord?id=CVE-2025-12748 > > [1] https://gitlab.com/libvirt/libvirt/-/issues/825 > > > > Please adjust the affected versions in the BTS as needed. > > Fixed upstream with the following commits: > > 2a326c415a qemu: Check ACLs before parsing the whole domain XML > eb4322dfe8 ch: Check ACLs before parsing the whole domain XML > 7285c10a7e vz: Check ACLs before parsing the whole domain XML > a6dcfee896 lxc: Check ACLs before parsing the whole domain XML > a1f48bca07 libxl: Check ACLs before parsing the whole domain XML > b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML > e6de1e43ab conf: Add virDomainDefIDsParseString > > I'm going to prepare a backport targeting both sid and stable, fixing > both this and #1120119, in the next few days. > > Will the Security Team take care of oldstable and oldoldstable?
Given this requires an authenticated user (please correct me if I got it wrong, but see as well discussion in the upstream issue): I do not think we would need a DSA for this issue. Can you prepare the update to be included in a future point release? Regards, Salvatore
