[PATCH for 6.6.0] news: Document recent CVE fix
Michal Privoznik
mprivozn at redhat.com
Mon Jul 27 08:18:51 UTC 2020
On 7/27/20 10:04 AM, Peter Krempa wrote:
> On Mon, Jul 27, 2020 at 09:54:50 +0200, Michal Privoznik wrote:
>> Document the fix of leaking /dev/mapper/control to QEMU (fixed in
>> v6.6.0-rc1-3-g2249455654).
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>> NEWS.rst | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/NEWS.rst b/NEWS.rst
>> index ff977968c7..8b53d21b8a 100644
>> --- a/NEWS.rst
>> +++ b/NEWS.rst
>> @@ -33,6 +33,13 @@ v6.6.0 (unreleased)
>>
>> * **Bug fixes**
>>
>> + * virdevmapper: Don't use libdevmapper to obtain dependencies
>> +
>> + When building domain's private ``/dev`` in a namespace, libdevmapper was
>> + consulted for getting full dependency tree of domain's disks. However, this
>> + meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
>> + and was leaked to QEMU. CVE-2020-14339
>
> I see that these were pushed now, but I can't find them in the list. I
> presume you went through libvirt-security for review. Please post them
> to libvir-list anyways for future reference.
>
Indeed. The bug was made private (mistakenly) for a brief moment thus I
figured to send the patches on the -security list. Then the mistake was
fixed and now I look like I don't know what I'm doing (which is not
necessarily untrue :-D).
Michal
More information about the libvir-list
mailing list