Hi, today the libvirt security notice LSN-2014-0003 [1] has been published, fixing an arbitrary file reading and a potential DoS issue due to unsafe XML reading (unchecked expansion of entities).
We inspected libguestfs in the few parts that parse XML input (two from results of libvirt API calls, and one parsing the libosinfo data), and found no issues in the way the parsing was done. However, to be more more sure about not relying on network nor expanding entities, we just pushed a patch to allow passing fine-grained parsing flags, so we can control better the parsing. This is commit 845daded5fddc70fc5e822769bc1e2a8cbead7ca [1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html -- Pino Toscano _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
