merged. Bruce
In message: [meta-virtualization][scarthgap][PATCH 1/1] libvirt: fix CVE-2025-13193 on 27/11/2025 Praveen Kumar via lists.yoctoproject.org wrote: > From: Praveen Kumar <[email protected]> > > A flaw was found in libvirt. External inactive snapshots for > shut-down VMs are incorrectly created as world-readable, making it > possible for unprivileged users to inspect the guest OS contents. > This results in an information disclosure vulnerability. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2025-13193 > > Upstream-patch: > https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a > > Signed-off-by: Praveen Kumar <[email protected]> > --- > .../libvirt/libvirt/CVE-2025-13193.patch | 40 +++++++++++++++++++ > recipes-extended/libvirt/libvirt_10.0.0.bb | 1 + > 2 files changed, 41 insertions(+) > create mode 100644 recipes-extended/libvirt/libvirt/CVE-2025-13193.patch > > diff --git a/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch > b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch > new file mode 100644 > index 00000000..1ce5de38 > --- /dev/null > +++ b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch > @@ -0,0 +1,40 @@ > +From a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Mon Sep 17 00:00:00 2001 > +From: Peter Krempa <[email protected]> > +Date: Wed, 12 Nov 2025 17:52:05 +0100 > +Subject: [PATCH] qemu: snapshot: Set umask for 'qemu-img' when creating > + external inactive snapshots > + > +External inactive snapshots are created by invoking 'qemu-img' which > +creates the file. Currently qemu-img creates image with mode 644 based > +on default umask as libvirt doesn't set any. > + > +Having a world-readable image is obviously wrong so set the umask to > +077 to have the file readable only by the owner. > + > +Resolves: https://bugs.debian.org/1120119 > + > +CVE: CVE-2025-13193 > + > +Upstream-Status: Backport > [https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a] > + > +Signed-off-by: Praveen Kumar <[email protected]> > +--- > + src/qemu/qemu_snapshot.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c > +index 73ff533..9819448 100644 > +--- a/src/qemu/qemu_snapshot.c > ++++ b/src/qemu/qemu_snapshot.c > +@@ -233,6 +233,9 @@ qemuSnapshotCreateQcow2Files(virQEMUDriver *driver, > + NULL))) > + return -1; > + > ++ /* ensure that new files are only readable by the user */ > ++ virCommandSetUmask(cmd, 0077); > ++ > + /* adds cmd line arg: > backing_fmt=format,backing_file=/path/to/backing/file */ > + virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=", > + > virStorageFileFormatTypeToString(defdisk->src->format)); > +-- > +2.40.0 > diff --git a/recipes-extended/libvirt/libvirt_10.0.0.bb > b/recipes-extended/libvirt/libvirt_10.0.0.bb > index 22193ff3..c6e6069c 100644 > --- a/recipes-extended/libvirt/libvirt_10.0.0.bb > +++ b/recipes-extended/libvirt/libvirt_10.0.0.bb > @@ -37,6 +37,7 @@ SRC_URI = > "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ > file://CVE-2024-1441.patch \ > file://CVE-2024-2494.patch \ > file://CVE-2024-4418.patch \ > + file://CVE-2025-13193.patch \ > " > > SRC_URI[libvirt.sha256sum] = > "8ba2e72ec8bdd2418554a1474c42c35704c30174b7611eaf9a16544b71bcf00a" > -- > 2.40.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9473): https://lists.yoctoproject.org/g/meta-virtualization/message/9473 Mute This Topic: https://lists.yoctoproject.org/mt/116499869/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
