[libvirt] [PATCH 1/3] Fix typo in identity code which is pre-requisite for CVE-2013-4311
Eric Blake
eblake at redhat.com
Mon Sep 23 19:32:30 UTC 2013
On 09/23/2013 08:11 AM, Eric Blake wrote:
> On 09/23/2013 05:46 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange at redhat.com>
>>
>> The fix for CVE-2013-4311 had a pre-requisite enhancement
>> to the identity code
>>
>> commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
>> Author: Daniel P. Berrange <berrange at redhat.com>
>> Date: Thu Aug 22 16:00:01 2013 +0100
>>
>> Also store user & group ID values in virIdentity
>>
>> This had a typo which caused the group ID to overwrite the
>> user ID string. This meant any checks using this would have
>> the wrong ID value. This only affected the ACL code, not the
>> initial polkit auth. It also leaked memory.
>>
>> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
>> ---
>> src/rpc/virnetserverclient.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> ACK
I'm pushing this to master on your behalf, so I can backport it to
v1.1.2-maint, v1.1.1-maint, and v1.1.0-maint; to minimize the time where
those branches are broken. I'll let you push the other two when you are
ready (tests help, but missing a test doesn't hold up a maint branch).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130923/e2df85f2/attachment-0001.sig>
More information about the libvir-list
mailing list