[libvirt] [PATCH] CVE-2011-1146
Daniel Veillard
veillard at redhat.com
Mon Mar 14 03:25:08 UTC 2011
On Sat, Mar 12, 2011 at 11:19:33PM +0100, Guido Günther wrote:
> Hi,
> attached patch adds the missing checks for
>
> https://bugzilla.redhat.com/show_bug.cgi?id=683650
>
> O.k. to apply?
> Cheers,
> -- Guido
This led me to review the full set of entry points.
Okay, ACK, I applied it, but I also added virConnectDomainXMLToNative
for the following reason:
paphio:~ -> grep shutdown test.xml
<emulator>/sbin/shutdown</emulator>
paphio:~ -> virsh --readonly -c qemu+ssh://test/system domxml-to-native
--format qemu-argv --xml test.xml
error: internal error Child process exited with status 1.
paphio:~ ->
Sure "/sbin/shutdown --help" fails, but it's still a remote
execution hazard which should not be allowed on readon only connections,
I prefer to close now since it's in same class of errors.
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list