Your message dated Wed, 03 Dec 2025 00:05:47 +0000
with message-id <[email protected]>
and subject line Bug#1120119: fixed in libvirt 11.10.0-1
has caused the Debian Bug report #1120119,
regarding libvirt: CVE-2025-13193: data leak for new offline snapshots
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libvirt-daemon
X-Debbugs-Cc: [email protected], [email protected]
Version: 11.3.0-3
Severity: grave
Dear Maintainer,
When creating snapshots for shut-down VMs, using virt-manager or virsh,
e.g.:
virsh snapshot-create-as --domain bookworm-oldstable --name snap1
--disk-only --diskspec
vda,snapshot=external,file=/var/lib/libvirt/images/myvm.snap1
then the snapshot is world-readable (644):
# ls -lh /var/lib/libvirt/images/bookworm-oldstable.snap1
-rw-r--r-- 1 root root 193K 5 nov. 17:40
/var/lib/libvirt/images/myvm.snap1
by any user:
# su - nobody -s /bin/sh -c 'hd -n 8 /var/lib/libvirt/images/myvm.snap1'
00000000 51 46 49 fb 00 00 00 03 |QFI.....|
(This doesn't happen for running VMs where permission is correctly 600.)
Such snapshots also stay world-readable after running the VM, allowing
all local users to access the new data, which is a grave data leak.
Regards,
Sylvain Beucler
--- End Message ---
--- Begin Message ---
Source: libvirt
Source-Version: 11.10.0-1
Done: Andrea Bolognani <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Bolognani <[email protected]> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Dec 2025 23:25:35 +0100
Source: libvirt
Architecture: source
Version: 11.10.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers
<[email protected]>
Changed-By: Andrea Bolognani <[email protected]>
Closes: 1120119 1120584 1121280
Changes:
libvirt (11.10.0-1) unstable; urgency=medium
.
* [13462ab] New upstream version 11.10.0
- Perform ACL checks earlier, preventing malicious users
from potentially being able to crash the daemon
- Closes: #1120584 (CVE-2025-12748)
- Ensure that newly-created snapshots are not world-readable
- Closes: #1120119 (CVE-2025-13193)
- Apply the detect_zeroes settings across all layers of the
backing chain instead of just the topmost one
- Closes: #1121280
* [5732866] common: Add several CPU models
Checksums-Sha1:
3f8e7371deaa52ca49799c030cd2539bfc3e9a35 7676 libvirt_11.10.0-1.dsc
f36316de87378f52ae9c237d936c28b0f3210253 10241776 libvirt_11.10.0.orig.tar.xz
099ce1e6ce61fdc2172d8b61e5f7cefca655e971 833 libvirt_11.10.0.orig.tar.xz.asc
0d8558dad338299908b66dd4f6f77633a7f7da24 96660 libvirt_11.10.0-1.debian.tar.xz
fe6cf8927a002630055b1d83506824675cff271d 13601
libvirt_11.10.0-1_source.buildinfo
Checksums-Sha256:
66bdbb9cfeaed1558fb94b75e2c456fbbe4e4f352470a84f8ea8714385b03504 7676
libvirt_11.10.0-1.dsc
66154fee836235678b712676b2589c45f66e3d6a8721ee0697c9f20a66cad0d8 10241776
libvirt_11.10.0.orig.tar.xz
04a1e43f62af6b6f06df48527e2663de49631a3b3727881b78d61624b8ff520e 833
libvirt_11.10.0.orig.tar.xz.asc
a93ea2b6fde00c93e9b084113d608b948e991dbb93496201f86469be23ec97c7 96660
libvirt_11.10.0-1.debian.tar.xz
2320a664cece210edbd3a7020f860df2affb51be1824d37c071080fcb8b6af76 13601
libvirt_11.10.0-1_source.buildinfo
Files:
9f75132797f331e1f8d52a78449e1379 7676 libs optional libvirt_11.10.0-1.dsc
ca836331e4c66f195d09ffbc1281630d 10241776 libs optional
libvirt_11.10.0.orig.tar.xz
f128565b2a1cd5d2b945cc9e670493d8 833 libs optional
libvirt_11.10.0.orig.tar.xz.asc
59f814994174c019de9a5db9d33eff30 96660 libs optional
libvirt_11.10.0-1.debian.tar.xz
9d2e4b5da5d46c1cb729acd7d50ca580 13601 libs optional
libvirt_11.10.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEO48t9niVypx3EjLf954fxUKFg6wFAmkvdukPHGVvZkBraXl1
a28ub3JnAAoJEPeeH8VChYOsx4AQAJ9BLvOWmd7WqNMGThc39S/8loOBmms/nvFA
hDPFkjz2jn/3Q1FpfzRFYuVJG/1XnCBJwZGcZDiR1blVOzGhG6mXuTvQHb+P94mX
IHz8YBlY30EPWvLZWuMziZuYb2Te+w9pVB7QAiU47t2/YJYiR77Qol0RFFMW0r62
lB2VbsHP+wC9SWJRsQvPko4bSUTARy0iXLEpBhxdiUeBnQ3GvrPTpucMY07UJU/t
HtgGc4ZvjCRUXKkAhB9A9kpfhyt8uG8tN3TVRx+cZ9tGsasmxRwhZR9pAzf0Shsp
d8ZVhSZjULnoFjduqIZhbYxOJbyjZiI0Nj96jUscYAEpBspEDX4L+J7mGeO8sQAl
KWYBx2EF2jhEQvws6dmziRqLceaLGF9zg6mI3dmukKXJX/fqmwbNn4d1rpNuRsqH
IqJ0z9t4GNAICGdbMk3S2q2573Uw7fmyQazO4KP+g3Rg2Hq47SS/1Y5yRn/aN9Bh
GTxUNTRKGW5gyn7LdH55pxJV3/WaOjx65wV/TYvFZSgacCbqL0gbfoc49IFCUoUQ
hSD1z13jq51qOvLyU4mdZ+WN4pIc4MGfSVMO+vyfbycF8hiwuQt6dHm5EHkqBST2
t4I01mNY8ukZCg3hHBfYea/wUm8unQ7yGMycGXFkWPUpDN2XiUOZzm1z8ZbLkk1G
AeHj5f6a
=rBQF
-----END PGP SIGNATURE-----
pgpI2ENvHLyWW.pgp
Description: PGP signature
--- End Message ---
