[Libguestfs] XML parsing in libguestfs & recent libvirt CVE

Tuesday, 6 May 2014

Hi,

today the libvirt security notice LSN-2014-0003 [1] has been published, 
fixing an arbitrary file reading and a potential DoS issue due to unsafe 
XML reading (unchecked expansion of entities).

We inspected libguestfs in the few parts that parse XML input (two from 
results of libvirt API calls, and one parsing the libosinfo data), and 
found no issues in the way the parsing was done.

However, to be more more sure about not relying on network nor expanding 
entities, we just pushed a patch to allow passing fine-grained parsing 
flags, so we can control better the parsing.  This is commit
  845daded5fddc70fc5e822769bc1e2a8cbead7ca

[1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html

-- 
Pino Toscano

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[Libguestfs] XML parsing in libguestfs & recent libvirt CVE