[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 1/3] Fix typo in identity code which is pre-requisite for CVE-2013-4311

On 09/23/2013 08:11 AM, Eric Blake wrote:
> On 09/23/2013 05:46 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange redhat com>
>> The fix for CVE-2013-4311 had a pre-requisite enhancement
>> to the identity code
>>   commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
>>   Author: Daniel P. Berrange <berrange redhat com>
>>   Date:   Thu Aug 22 16:00:01 2013 +0100
>>     Also store user & group ID values in virIdentity
>> This had a typo which caused the group ID to overwrite the
>> user ID string. This meant any checks using this would have
>> the wrong ID value. This only affected the ACL code, not the
>> initial polkit auth. It also leaked memory.
>> Signed-off-by: Daniel P. Berrange <berrange redhat com>
>> ---
>>  src/rpc/virnetserverclient.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)

I'm pushing this to master on your behalf, so I can backport it to
v1.1.2-maint, v1.1.1-maint, and v1.1.0-maint; to minimize the time where
those branches are broken.  I'll let you push the other two when you are
ready (tests help, but missing a test doesn't hold up a maint branch).

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]