On Tue, May 06, 2014 at 07:31:08PM +0200, Pino Toscano wrote: > today the libvirt security notice LSN-2014-0003 [1] has been published, > fixing an arbitrary file reading and a potential DoS issue due to unsafe > XML reading (unchecked expansion of entities). > > We inspected libguestfs in the few parts that parse XML input (two from > results of libvirt API calls, and one parsing the libosinfo data), and > found no issues in the way the parsing was done. > > However, to be more more sure about not relying on network nor expanding > entities, we just pushed a patch to allow passing fine-grained parsing > flags, so we can control better the parsing. This is commit > 845daded5fddc70fc5e822769bc1e2a8cbead7ca > > [1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
What I've done in the other branches is ... 1.26: There's a new (1.26.2) release, coming later today. 1.20, 1.22, 1.24: I have backported your 845dade commit to these branches and added it to git. However I haven't made new tarball releases, and won't do unless someone can prove that this is actually a security issue and not just a nice-to-have fix. However as the patch now exists for each branch, downstream packagers may wish to apply it. 1.20: https://github.com/libguestfs/libguestfs/commit/83b054537a10f88d4c0332f549cbb082d3c8cfbe 1.22: https://github.com/libguestfs/libguestfs/commit/2c41bb8da918392b04a96b8f121991db330a3b9e 1.24: https://github.com/libguestfs/libguestfs/commit/0ac3e228ee2f8c2d37a12058d03ac7fff0ad62ea Thanks, Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
