[Libguestfs] XML parsing in libguestfs & recent libvirt CVE
Richard W.M. Jones
rjones at redhat.com
Wed May 7 15:41:58 UTC 2014
On Tue, May 06, 2014 at 07:31:08PM +0200, Pino Toscano wrote:
> today the libvirt security notice LSN-2014-0003 [1] has been published,
> fixing an arbitrary file reading and a potential DoS issue due to unsafe
> XML reading (unchecked expansion of entities).
>
> We inspected libguestfs in the few parts that parse XML input (two from
> results of libvirt API calls, and one parsing the libosinfo data), and
> found no issues in the way the parsing was done.
>
> However, to be more more sure about not relying on network nor expanding
> entities, we just pushed a patch to allow passing fine-grained parsing
> flags, so we can control better the parsing. This is commit
> 845daded5fddc70fc5e822769bc1e2a8cbead7ca
>
> [1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
What I've done in the other branches is ...
1.26:
There's a new (1.26.2) release, coming later today.
1.20, 1.22, 1.24:
I have backported your 845dade commit to these branches and added it
to git. However I haven't made new tarball releases, and won't do
unless someone can prove that this is actually a security issue and
not just a nice-to-have fix. However as the patch now exists for each
branch, downstream packagers may wish to apply it.
1.20: https://github.com/libguestfs/libguestfs/commit/83b054537a10f88d4c0332f549cbb082d3c8cfbe
1.22: https://github.com/libguestfs/libguestfs/commit/2c41bb8da918392b04a96b8f121991db330a3b9e
1.24: https://github.com/libguestfs/libguestfs/commit/0ac3e228ee2f8c2d37a12058d03ac7fff0ad62ea
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list