Pino Toscano
2014-May-06 17:31 UTC
[Libguestfs] XML parsing in libguestfs & recent libvirt CVE
Hi, today the libvirt security notice LSN-2014-0003 [1] has been published, fixing an arbitrary file reading and a potential DoS issue due to unsafe XML reading (unchecked expansion of entities). We inspected libguestfs in the few parts that parse XML input (two from results of libvirt API calls, and one parsing the libosinfo data), and found no issues in the way the parsing was done. However, to be more more sure about not relying on network nor expanding entities, we just pushed a patch to allow passing fine-grained parsing flags, so we can control better the parsing. This is commit 845daded5fddc70fc5e822769bc1e2a8cbead7ca [1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html -- Pino Toscano
Richard W.M. Jones
2014-May-07 15:41 UTC
Re: [Libguestfs] XML parsing in libguestfs & recent libvirt CVE
On Tue, May 06, 2014 at 07:31:08PM +0200, Pino Toscano wrote:> today the libvirt security notice LSN-2014-0003 [1] has been published, > fixing an arbitrary file reading and a potential DoS issue due to unsafe > XML reading (unchecked expansion of entities). > > We inspected libguestfs in the few parts that parse XML input (two from > results of libvirt API calls, and one parsing the libosinfo data), and > found no issues in the way the parsing was done. > > However, to be more more sure about not relying on network nor expanding > entities, we just pushed a patch to allow passing fine-grained parsing > flags, so we can control better the parsing. This is commit > 845daded5fddc70fc5e822769bc1e2a8cbead7ca > > [1] https://www.redhat.com/archives/libvir-list/2014-May/msg00209.htmlWhat I've done in the other branches is ... 1.26: There's a new (1.26.2) release, coming later today. 1.20, 1.22, 1.24: I have backported your 845dade commit to these branches and added it to git. However I haven't made new tarball releases, and won't do unless someone can prove that this is actually a security issue and not just a nice-to-have fix. However as the patch now exists for each branch, downstream packagers may wish to apply it. 1.20: https://github.com/libguestfs/libguestfs/commit/83b054537a10f88d4c0332f549cbb082d3c8cfbe 1.22: https://github.com/libguestfs/libguestfs/commit/2c41bb8da918392b04a96b8f121991db330a3b9e 1.24: https://github.com/libguestfs/libguestfs/commit/0ac3e228ee2f8c2d37a12058d03ac7fff0ad62ea Thanks, Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v