XML parsing in libguestfs & recent libvirt CVE
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
Hi,
today the libvirt security notice LSN-2014-0003 [1] has been published,
fixing an arbitrary file reading and a potential DoS issue due to unsafe
XML reading (unchecked expansion of entities).
We inspected libguestfs in the few parts that parse XML input (two from
results of libvirt API calls, and one parsing the libosinfo data), and
found no issues in the way the parsing was done.
However, to be more more sure about not relying on network nor expanding
entities, we just pushed a patch to allow passing fine-grained parsing
flags, so we can control better the parsing. This is commit
845daded5fddc70fc5e822769bc1e2a8cbead7ca
[1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
--
Pino Toscano
On Tue, May 06, 2014 at 07:31:08PM +0200, Pino Toscano wrote:
today the libvirt security notice LSN-2014-0003 [1] has been
published,
fixing an arbitrary file reading and a potential DoS issue due to unsafe
XML reading (unchecked expansion of entities).
We inspected libguestfs in the few parts that parse XML input (two from
results of libvirt API calls, and one parsing the libosinfo data), and
found no issues in the way the parsing was done.
However, to be more more sure about not relying on network nor expanding
entities, we just pushed a patch to allow passing fine-grained parsing
flags, so we can control better the parsing. This is commit
845daded5fddc70fc5e822769bc1e2a8cbead7ca
[1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html
What I've done in the other branches is ...
1.26:
There's a new (1.26.2) release, coming later today.
1.20, 1.22, 1.24:
I have backported your 845dade commit to these branches and added it
to git. However I haven't made new tarball releases, and won't do
unless someone can prove that this is actually a security issue and
not just a nice-to-have fix. However as the patch now exists for each
branch, downstream packagers may wish to apply it.
1.20:
https://github.com/libguestfs/libguestfs/commit/83b054537a10f88d4c0332f54...
1.22:
https://github.com/libguestfs/libguestfs/commit/2c41bb8da918392b04a96b8f1...
1.24:
https://github.com/libguestfs/libguestfs/commit/0ac3e228ee2f8c2d37a12058d...
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
3852
days inactive
3853
days old
1 comments
2 participants
tags (0)
participants (2)
-
Pino Toscano -
Richard W.M. Jones