[libvirt] [v0.9.12-maint 0/8] Backport changes for CVE-2013-6458 to v0.9.12-maint

Guido Günther agx at sigxcpu.org
Thu Jan 16 07:49:59 UTC 2014

On Wed, Jan 15, 2014 at 01:43:54PM -0700, Eric Blake wrote:
> On 01/11/2014 07:27 AM, Guido Günther wrote:
> > Hi,
> > attached patches backport the fixes for CVE-2013-6458 to v0.9.12-maint. I
> > decided to cherry-pick the introduction of VIR_STRDUP and virReportError
> > as well to ease backporting of future fixes. I'd be happy about any review.
> Looks correct to me.  I'll let you push to 0.9.12-maint since you
> already did that work; I already pushed to all the branches 0.10.2 and
> later.  When porting to 0.10.2, I chose to just inline the call to
> strdup() instead of backporting VIR_STRDUP, for fewer patches but more
> conflict resolution; but either approach seems acceptable.

Thanks for the review!

> Is anyone still using v0.9.11-maint?  The CVE extends back to 0.9.8, so
> we could argue that we should either fix the 0.9.11 branch, or add
> another commit to the branch that explicitly marks it as end-of-life
> because no one appears to be relying on it.  Fedora 18 is now
> end-of-life, so from Fedora's perspective, I only care about 0.10.2
> (RHEL and CentOS 6), 1.0.5 (F19), 1.1.3 (F20) and soon 1.2.1 (rawhide),
> although I didn't mind touching all the intermediate branches on my way
> down to 0.10.2.  RHEL 5 is also vulnerable to CVE-2013-6458, but as we
> don't have an upstream v0.8.2-maint branch (thank goodness!), that's
> something for Red Hat to worry about.

I'd say let's close 0.9.11. We have 0.8.3 in Debian oldstable but I'm
not going to open a maint branch for this but deal with it in the
package itself.
 -- Guido

More information about the libvir-list mailing list