Hi Andrea, On Fri, Nov 14, 2025 at 11:04:06PM +0100, Andrea Bolognani wrote: > On Fri, Nov 14, 2025 at 09:35:34PM +0100, Salvatore Bonaccorso wrote: > > On Fri, Nov 14, 2025 at 12:30:00AM +0100, Andrea Bolognani wrote: > > > Fixed upstream with the following commits: > > > > > > 2a326c415a qemu: Check ACLs before parsing the whole domain XML > > > eb4322dfe8 ch: Check ACLs before parsing the whole domain XML > > > 7285c10a7e vz: Check ACLs before parsing the whole domain XML > > > a6dcfee896 lxc: Check ACLs before parsing the whole domain XML > > > a1f48bca07 libxl: Check ACLs before parsing the whole domain XML > > > b45f10bc0a bhyve: Check ACLs before parsing the whole domain XML > > > e6de1e43ab conf: Add virDomainDefIDsParseString > > > > > > I'm going to prepare a backport targeting both sid and stable, fixing > > > both this and #1120119, in the next few days. > > > > > > Will the Security Team take care of oldstable and oldoldstable? > > > > Given this requires an authenticated user (please correct me if I got > > it wrong, but see as well discussion in the upstream issue): I do not > > think we would need a DSA for this issue. > > Yes, the problematic parsing happened before ACL checks could run and > confirm that the user was allowed to invoke the specific libvirt API, > but prior authentication (e.g. libvirt group membership) would have > been necessary to establish a connection to libvirtd in the first > place. So a random unauthenticated user of the system wouldn't have > been able to exploit the flaw.
Thanks for clarifying it explicitly. > > Can you prepare the update > > to be included in a future point release? > > To clarify, we're talking about a future *trixie* point release, > right? Yes, it is too late for 13.2 itself, which is happening in a few minutes. We can queue this and other already and then still build on top of it in case we need a DSA for other issues (I'm not aware of any right now which might warrant one, althoug there is as well the snapshot related issue so far). Regards, Salvatore
