[Libguestfs] XML parsing in libguestfs & recent libvirt CVE
Pino Toscano
ptoscano at redhat.com
Tue May 6 17:31:08 UTC 2014
Hi,
today the libvirt security notice LSN-2014-0003 [1] has been published,
fixing an arbitrary file reading and a potential DoS issue due to unsafe
XML reading (unchecked expansion of entities).
We inspected libguestfs in the few parts that parse XML input (two from
results of libvirt API calls, and one parsing the libosinfo data), and
found no issues in the way the parsing was done.
However, to be more more sure about not relying on network nor expanding
entities, we just pushed a patch to allow passing fine-grained parsing
flags, so we can control better the parsing. This is commit
845daded5fddc70fc5e822769bc1e2a8cbead7ca
[1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
--
Pino Toscano
More information about the Libguestfs
mailing list