diff --git a/0017-bugfix-for-CVE-2025-12748-1.patch b/0017-bugfix-for-CVE-2025-12748-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..f32d0631bb3e1293843fb45e1921163817eaccd2 --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-1.patch @@ -0,0 +1,87 @@ +From e6de1e43ab6e907225b8f9bcea3772231908717e Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 14:33:31 +0100 +Subject: [PATCH] conf: Add virDomainDefIDsParseString + +This function performs only parsing with the underlying +virDomainDefParseIDs() function to get needed metadata for any ACL +checks, but nothing else to avoid extraneous allocations and any +parser-induced DoS over ACL-forbidden connections. + +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/conf/domain_conf.c | 29 +++++++++++++++++++++++++++++ + src/conf/domain_conf.h | 3 +++ + src/libvirt_private.syms | 1 + + 3 files changed, 33 insertions(+) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index 833904b..c21af4d 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -19564,6 +19564,35 @@ virDomainDefParse(const char *xmlStr, + return virDomainDefParseNode(ctxt, xmlopt, parseOpaque, flags); + } + ++virDomainDef * ++virDomainDefIDsParseString(const char *xmlStr, ++ virDomainXMLOption *xmlopt, ++ unsigned int flags) ++{ ++ g_autoptr(virDomainDef) def = NULL; ++ g_autoptr(xmlDoc) xml = NULL; ++ g_autoptr(xmlXPathContext) ctxt = NULL; ++ bool uuid_generated = false; ++ ++ xml = virXMLParseWithIndent(NULL, xmlStr, _("(domain_definition)"), ++ "domain", &ctxt, "domain.rng", false); ++ ++ if (!xml) ++ return NULL; ++ ++ def = virDomainDefNew(xmlopt); ++ if (!def) ++ return NULL; ++ ++ if (virDomainDefParseIDs(def, ctxt, flags, &uuid_generated) < 0) ++ return NULL; ++ ++ if (uuid_generated) ++ memset(def->uuid, 0, VIR_UUID_BUFLEN); ++ ++ return g_steal_pointer(&def); ++} ++ + virDomainDef * + virDomainDefParseString(const char *xmlStr, + virDomainXMLOption *xmlopt, +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index b5c0302..35510c3 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -3755,6 +3755,9 @@ virDomainDiskDef *virDomainDiskDefParse(const char *xmlStr, + virStorageSource *virDomainDiskDefParseSource(const char *xmlStr, + virDomainXMLOption *xmlopt, + unsigned int flags); ++virDomainDef * virDomainDefIDsParseString(const char *xmlStr, ++ virDomainXMLOption *xmlopt, ++ unsigned int flags); + virDomainDef *virDomainDefParseString(const char *xmlStr, + virDomainXMLOption *xmlopt, + void *parseOpaque, +diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms +index 553b01b..baae1a4 100644 +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -344,6 +344,7 @@ virDomainDefHasUSB; + virDomainDefHasVcpusOffline; + virDomainDefHasVDPANet; + virDomainDefHasVFIOHostdev; ++virDomainDefIDsParseString; + virDomainDefLifecycleActionAllowed; + virDomainDefMaybeAddController; + virDomainDefMaybeAddInput; +-- +2.43.5 + diff --git a/0017-bugfix-for-CVE-2025-12748-2.patch b/0017-bugfix-for-CVE-2025-12748-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..0367b02e149e9f002917dadcecb51e5e71b9bdd0 --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-2.patch @@ -0,0 +1,72 @@ +From b45f10bc0a2f30ccdbf2cb55da2e4f85b3ebfb23 Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 15:31:12 +0100 +Subject: [PATCH] bhyve: Check ACLs before parsing the whole domain XML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Utilise the new virDomainDefIDsParseString() for that. + +Fixes: CVE-2025-12748 +Reported-by: Святослав Терешин +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/bhyve/bhyve_driver.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/bhyve/bhyve_driver.c b/src/bhyve/bhyve_driver.c +index 4203b13..c48bca3 100644 +--- a/src/bhyve/bhyve_driver.c ++++ b/src/bhyve/bhyve_driver.c +@@ -505,6 +505,15 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag + if (!caps) + return NULL; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, provconn->xmlopt, parse_flags))) ++ return NULL; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) ++ return NULL; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ + if ((def = virDomainDefParseString(xml, privconn->xmlopt, + NULL, parse_flags)) == NULL) + goto cleanup; +@@ -512,9 +521,6 @@ bhyveDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag + if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) +- goto cleanup; +- + if (bhyveDomainAssignAddresses(def, NULL) < 0) + goto cleanup; + +@@ -878,11 +884,17 @@ bhyveDomainCreateXML(virConnectPtr conn, + if (flags & VIR_DOMAIN_START_AUTODESTROY) + start_flags |= VIR_BHYVE_PROCESS_START_AUTODESTROY; + +- if ((def = virDomainDefParseString(xml, privconn->xmlopt, +- NULL, parse_flags)) == NULL) +- goto cleanup; ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, provconn->xmlopt, parse_flags))) ++ return NULL; + + if (virDomainCreateXMLEnsureACL(conn, def) < 0) ++ return NULL; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ ++ if ((def = virDomainDefParseString(xml, privconn->xmlopt, ++ NULL, parse_flags)) == NULL) + goto cleanup; + + if (bhyveDomainAssignAddresses(def, NULL) < 0) +-- +2.43.5 + diff --git a/0017-bugfix-for-CVE-2025-12748-3.patch b/0017-bugfix-for-CVE-2025-12748-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..d1151abb76b5c18d3248484dc05ca6daaff39421 --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-3.patch @@ -0,0 +1,71 @@ +From a1f48bca077e2f3377f29d746efd4310b8a2910f Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 15:43:57 +0100 +Subject: [PATCH] libxl: Check ACLs before parsing the whole domain XML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Utilise the new virDomainDefIDsParseString() for that. + +Fixes: CVE-2025-12748 +Reported-by: Святослав Терешин +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/libxl/libxl_driver.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c +index 107477250a..9dcf2dcf2e 100644 +--- a/src/libxl/libxl_driver.c ++++ b/src/libxl/libxl_driver.c +@@ -1027,13 +1027,18 @@ libxlDomainCreateXML(virConnectPtr conn, const char *xml, + if (flags & VIR_DOMAIN_START_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + +- if (!(def = virDomainDefParseString(xml, driver->xmlopt, +- NULL, parse_flags))) ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) + goto cleanup; + + if (virDomainCreateXMLEnsureACL(conn, def) < 0) + goto cleanup; + ++ g_clear_pointer(&def, virDomainDefFree); ++ ++ if (!(def = virDomainDefParseString(xml, driver->xmlopt, ++ NULL, parse_flags))) ++ goto cleanup; ++ + if (!(vm = virDomainObjListAdd(driver->domains, &def, + driver->xmlopt, + VIR_DOMAIN_OBJ_LIST_ADD_LIVE | +@@ -2813,6 +2818,14 @@ libxlDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag + if (flags & VIR_DOMAIN_DEFINE_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ goto cleanup; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) ++ goto cleanup; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ + if (!(def = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) + goto cleanup; +@@ -2820,9 +2833,6 @@ libxlDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flag + if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) +- goto cleanup; +- + if (!(vm = virDomainObjListAdd(driver->domains, &def, + driver->xmlopt, + 0, +-- +GitLab + diff --git a/0017-bugfix-for-CVE-2025-12748-4.patch b/0017-bugfix-for-CVE-2025-12748-4.patch new file mode 100644 index 0000000000000000000000000000000000000000..d88b1e06df306177e1ec85a52ef021f4810f6b86 --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-4.patch @@ -0,0 +1,73 @@ +From a6dcfee896f67bb8bdfdbb0b406ac7649fbb4c0f Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 15:49:01 +0100 +Subject: [PATCH] lxc: Check ACLs before parsing the whole domain XML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Utilise the new virDomainDefIDsParseString() for that. + +Fixes: CVE-2025-12748 +Reported-by: Святослав Терешин +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/lxc/lxc_driver.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c +index 80cf07d2e5..c0a93c0444 100644 +--- a/src/lxc/lxc_driver.c ++++ b/src/lxc/lxc_driver.c +@@ -409,6 +409,15 @@ lxcDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (!(caps = virLXCDriverGetCapabilities(driver, false))) + goto cleanup; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ goto cleanup; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) ++ goto cleanup; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ + if (!(def = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) + goto cleanup; +@@ -416,9 +425,6 @@ lxcDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) +- goto cleanup; +- + if (virSecurityManagerVerify(driver->securityManager, def) < 0) + goto cleanup; + +@@ -1066,13 +1072,19 @@ lxcDomainCreateXMLWithFiles(virConnectPtr conn, + if (!(caps = virLXCDriverGetCapabilities(driver, false))) + goto cleanup; + +- if (!(def = virDomainDefParseString(xml, driver->xmlopt, +- NULL, parse_flags))) ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) + goto cleanup; + + if (virDomainCreateXMLWithFilesEnsureACL(conn, def) < 0) + goto cleanup; + ++ g_clear_pointer(&def, virDomainDefFree); ++ ++ if (!(def = virDomainDefParseString(xml, driver->xmlopt, ++ NULL, parse_flags))) ++ goto cleanup; ++ + if (virSecurityManagerVerify(driver->securityManager, def) < 0) + goto cleanup; + +-- +GitLab + diff --git a/0017-bugfix-for-CVE-2025-12748-5.patch b/0017-bugfix-for-CVE-2025-12748-5.patch new file mode 100644 index 0000000000000000000000000000000000000000..2bb511d151fc33f0409d9ae0195d926bbb77598b --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-5.patch @@ -0,0 +1,64 @@ +From 7285c10a7e70c430f85af7a2b3954892ab3c6d6b Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 16:03:26 +0100 +Subject: [PATCH] vz: Check ACLs before parsing the whole domain XML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Utilise the new virDomainDefIDsParseString() for that. + +Fixes: CVE-2025-12748 +Reported-by: Святослав Терешин +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/vz/vz_driver.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/vz/vz_driver.c b/src/vz/vz_driver.c +index 571735f940..2d8878fe7f 100644 +--- a/src/vz/vz_driver.c ++++ b/src/vz/vz_driver.c +@@ -789,6 +789,15 @@ vzDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (flags & VIR_DOMAIN_DEFINE_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ return NULL; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) ++ return NULL; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ + if ((def = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags)) == NULL) + goto cleanup; +@@ -796,9 +805,6 @@ vzDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) +- goto cleanup; +- + dom = virDomainObjListFindByUUID(driver->domains, def->uuid); + if (dom == NULL) { + virResetLastError(); +@@ -2966,9 +2972,9 @@ vzDomainMigratePrepare3Params(virConnectPtr conn, + | VZ_MIGRATION_COOKIE_DOMAIN_NAME) < 0) + return -1; + +- if (!(def = virDomainDefParseString(dom_xml, driver->xmlopt, +- NULL, +- VIR_DOMAIN_DEF_PARSE_INACTIVE))) ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(dom_xml, driver->xmlopt, ++ VIR_DOMAIN_DEF_PARSE_INACTIVE))) + return -1; + + if (dname) { +-- +GitLab + diff --git a/0017-bugfix-for-CVE-2025-12748-6.patch b/0017-bugfix-for-CVE-2025-12748-6.patch new file mode 100644 index 0000000000000000000000000000000000000000..822400f88053e0b602ceae0587c6fa5cda9729db --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-6.patch @@ -0,0 +1,82 @@ +From eb4322dfe8fff544d6dac01b2748c20f78f00d69 Mon Sep 17 00:00:00 2001 +From: Martin Kletzander +Date: Thu, 6 Nov 2025 16:23:30 +0100 +Subject: [PATCH] ch: Check ACLs before parsing the whole domain XML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Utilise the new virDomainDefIDsParseString() for that. + +This is one of the more complex ones since there is also a function that +reads relevant metadata from a save image XML. In order not to extract +the parsing out of the function (and make the function basically trivial +and all callers more complex) add a callback to the function which will +be used to check the ACLs. And since this function is called in APIs +that perform ACL checks both with and without flags, add two of them for +good measure. + +Fixes: CVE-2025-12748 +Reported-by: Святослав Терешин +Signed-off-by: Martin Kletzander +Reviewed-by: Michal Privoznik +--- + src/ch/ch_driver.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/ch/ch_driver.c b/src/ch/ch_driver.c +index 96de504..722b74c 100644 +--- a/src/ch/ch_driver.c ++++ b/src/ch/ch_driver.c +@@ -202,14 +202,19 @@ chDomainCreateXML(virConnectPtr conn, + if (flags & VIR_DOMAIN_START_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(vmdef = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ return NULL; ++ ++ if (virDomainCreateXMLEnsureACL(conn, vmdef) < 0) ++ return NULL; ++ ++ g_clear_pointer(&vmdef, virDomainDefFree); + + if ((vmdef = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags)) == NULL) + goto cleanup; + +- if (virDomainCreateXMLEnsureACL(conn, vmdef) < 0) +- goto cleanup; +- + if (!(vm = virDomainObjListAdd(driver->domains, + &vmdef, + driver->xmlopt, +@@ -284,6 +289,15 @@ chDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (flags & VIR_DOMAIN_START_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(vmdef = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ return NULL; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, vmdef) < 0) ++ return NULL; ++ ++ g_clear_pointer(&vmdef, virDomainDefFree); ++ + if ((vmdef = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags)) == NULL) + goto cleanup; +@@ -291,9 +305,6 @@ chDomainDefineXMLFlags(virConnectPtr conn, const char *xml, unsigned int flags) + if (virXMLCheckIllegalChars("name", vmdef->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, vmdef) < 0) +- goto cleanup; +- + if (!(vm = virDomainObjListAdd(driver->domains, &vmdef, + driver->xmlopt, + 0, NULL))) +-- +2.43.5 + diff --git a/0017-bugfix-for-CVE-2025-12748-7.patch b/0017-bugfix-for-CVE-2025-12748-7.patch new file mode 100644 index 0000000000000000000000000000000000000000..99cca23bc28eaf32a627590396f675402525c064 --- /dev/null +++ b/0017-bugfix-for-CVE-2025-12748-7.patch @@ -0,0 +1,212 @@ +From 0a5997cd3da34cc44e9fca6e69e4b3ccbb436187 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E6=9D=A8=E8=AF=9A?= +Date: Thu, 20 Nov 2025 16:26:07 +0800 +Subject: [PATCH] CVE-2025-12748-7.1 + +--- + src/qemu/qemu_driver.c | 66 +++++++++++++++++++++------------------ + src/qemu/qemu_migration.c | 23 +++++++++++++- + src/qemu/qemu_migration.h | 4 ++- + 3 files changed, 61 insertions(+), 32 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index bf755c7..ac22b8d 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -1604,11 +1604,17 @@ static virDomainPtr qemuDomainCreateXML(virConnectPtr conn, + if (flags & VIR_DOMAIN_START_RESET_NVRAM) + start_flags |= VIR_QEMU_PROCESS_START_RESET_NVRAM; + +- if (!(def = virDomainDefParseString(xml, driver->xmlopt, +- NULL, parse_flags))) +- goto cleanup; ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ return NULL; + + if (virDomainCreateXMLEnsureACL(conn, def) < 0) ++ return NULL; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ ++ if (!(def = virDomainDefParseString(xml, driver->xmlopt, ++ NULL, parse_flags))) + goto cleanup; + + if (!(vm = virDomainObjListAdd(driver->domains, &def, +@@ -6412,6 +6418,15 @@ qemuDomainDefineXMLFlags(virConnectPtr conn, + if (flags & VIR_DOMAIN_DEFINE_VALIDATE) + parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; + ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags))) ++ return NULL; ++ ++ if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) ++ return NULL; ++ ++ g_clear_pointer(&def, virDomainDefFree); ++ + if (!(def = virDomainDefParseString(xml, driver->xmlopt, + NULL, parse_flags))) + return NULL; +@@ -6419,9 +6434,6 @@ qemuDomainDefineXMLFlags(virConnectPtr conn, + if (virXMLCheckIllegalChars("name", def->name, "\n") < 0) + goto cleanup; + +- if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0) +- goto cleanup; +- + if (!(vm = virDomainObjListAdd(driver->domains, &def, + driver->xmlopt, + 0, &oldDef))) +@@ -10636,10 +10648,9 @@ qemuDomainMigratePrepareTunnel(virConnectPtr dconn, + return -1; + } + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepareTunnelEnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepareTunnelEnsureACL))) + return -1; + + return qemuMigrationDstPrepareTunnel(driver, dconn, +@@ -10689,10 +10700,9 @@ qemuDomainMigratePrepare2(virConnectPtr dconn, + return -1; + } + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepare2EnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepare2EnsureACL))) + return -1; + + /* Do not use cookies in v2 protocol, since the cookie +@@ -10911,10 +10921,9 @@ qemuDomainMigratePrepare3(virConnectPtr dconn, + QEMU_MIGRATION_DESTINATION))) + return -1; + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepare3EnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepare3EnsureACL))) + return -1; + + return qemuMigrationDstPrepareDirect(driver, dconn, +@@ -11019,10 +11028,9 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, + return -1; + } + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepare3ParamsEnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepare3ParamsEnsureACL))) + return -1; + + return qemuMigrationDstPrepareDirect(driver, dconn, +@@ -11064,10 +11072,9 @@ qemuDomainMigratePrepareTunnel3(virConnectPtr dconn, + QEMU_MIGRATION_DESTINATION))) + return -1; + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepareTunnel3EnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepareTunnel3EnsureACL))) + return -1; + + return qemuMigrationDstPrepareTunnel(driver, dconn, +@@ -11116,10 +11123,9 @@ qemuDomainMigratePrepareTunnel3Params(virConnectPtr dconn, + QEMU_MIGRATION_DESTINATION))) + return -1; + +- if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname))) +- return -1; +- +- if (virDomainMigratePrepareTunnel3ParamsEnsureACL(dconn, def) < 0) ++ if (!(def = qemuMigrationAnyPrepareDef(driver, NULL, dom_xml, dname, &origname, ++ dconn, ++ virDomainMigratePrepareTunnel3ParamsEnsureACL))) + return -1; + + return qemuMigrationDstPrepareTunnel(driver, dconn, +diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +index f9c34b7..4977121 100644 +--- a/src/qemu/qemu_migration.c ++++ b/src/qemu/qemu_migration.c +@@ -3830,7 +3830,9 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, + virQEMUCaps *qemuCaps, + const char *dom_xml, + const char *dname, +- char **origname) ++ char **origname, ++ virConnectPtr sconn, ++ int (*ensureACL)(virConnectPtr, virDomainDef *)) + { + virDomainDef *def; + char *name = NULL; +@@ -3841,6 +3843,24 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, + return NULL; + } + ++ if (ensureACL) { ++ g_autoptr(virDomainDef) aclDef = NULL; ++ ++ /* Avoid parsing the whole domain definition for ACL checks */ ++ if (!(aclDef = virDomainDefIDsParseString(dom_xml, driver->xmlopt, ++ VIR_DOMAIN_DEF_PARSE_INACTIVE))) ++ return NULL; ++ ++ if (dname) { ++ VIR_FREE(aclDef->name); ++ aclDef->name = g_strdup(dname); ++ } ++ ++ if (ensureACL(sconn, aclDef) < 0) { ++ return NULL; ++ } ++ } ++ + if (!(def = virDomainDefParseString(dom_xml, driver->xmlopt, + qemuCaps, + VIR_DOMAIN_DEF_PARSE_INACTIVE | +@@ -4774,6 +4794,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, + if (!(persistDef = qemuMigrationAnyPrepareDef(driver, + priv->qemuCaps, + persist_xml, ++ NULL, NULL, + NULL, NULL))) + goto error; + } else { +diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h +index ed62fd4..f43a96f 100644 +--- a/src/qemu/qemu_migration.h ++++ b/src/qemu/qemu_migration.h +@@ -131,7 +131,9 @@ qemuMigrationAnyPrepareDef(virQEMUDriver *driver, + virQEMUCaps *qemuCaps, + const char *dom_xml, + const char *dname, +- char **origname); ++ char **origname, ++ virConnectPtr sconn, ++ int (*ensureACL)(virConnectPtr, virDomainDef *)); + + int + qemuMigrationDstPrepareTunnel(virQEMUDriver *driver, +-- +2.43.5 + diff --git a/0018-bugfix-for-CVE-2025-13193.patch b/0018-bugfix-for-CVE-2025-13193.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6513fddb7ac037e7024f6a2ab0380e5ffb3aa9b --- /dev/null +++ b/0018-bugfix-for-CVE-2025-13193.patch @@ -0,0 +1,36 @@ +From a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Wed, 12 Nov 2025 17:52:05 +0100 +Subject: [PATCH] qemu: snapshot: Set umask for 'qemu-img' when creating + external inactive snapshots + +External inactive snapshots are created by invoking 'qemu-img' which +creates the file. Currently qemu-img creates image with mode 644 based +on default umask as libvirt doesn't set any. + +Having a world-readable image is obviously wrong so set the umask to +077 to have the file readable only by the owner. + +Resolves: https://bugs.debian.org/1120119 +Signed-off-by: Peter Krempa +--- + src/qemu/qemu_snapshot.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c +index 5aa7d1b3a7..302775af92 100644 +--- a/src/qemu/qemu_snapshot.c ++++ b/src/qemu/qemu_snapshot.c +@@ -228,6 +228,9 @@ qemuSnapshotCreateQcow2Files(virDomainDef *def, + NULL))) + return -1; + ++ /* ensure that new files are only readable by the user */ ++ virCommandSetUmask(cmd, 0077); ++ + /* adds cmd line arg: backing_fmt=format,backing_file=/path/to/backing/file */ + virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=", + virStorageFileFormatTypeToString(defdisk->src->format)); +-- +GitLab + diff --git a/libvirt.spec b/libvirt.spec index 40958825783529647c07cb35e2f77640a1e7c014..953e62494d9a5740a3c002847766c046ab239bd1 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,4 +1,4 @@ -%define anolis_release 15 +%define anolis_release 16 %define arches_qemu_kvm x86_64 aarch64 loongarch64 sw_64 riscv64 @@ -180,6 +180,22 @@ Patch0013: 0013-conf-qemu-Fix-some-code-about-Reuse-ASID-for-Hygon-C.patch Patch0014: 0014-conf-qemu-support-provide-inject-secret-for-Hygon-CS.patch Patch0015: 0015-Add-support-for-phytium-live-migrate-and-s5000c-mode.patch Patch0016: 0016-cpu-Add-new-Chengdu-CPU-model.patch +# https://gitlab.com/libvirt/libvirt/-/commit/e6de1e43ab6e907225b8f9bcea3772231908717e +Patch0017: 0017-bugfix-for-CVE-2025-12748-1.patch +# https://gitlab.com/libvirt/libvirt/-/commit/b45f10bc0a2f30ccdbf2cb55da2e4f85b3ebfb23 +Patch0018: 0017-bugfix-for-CVE-2025-12748-2.patch +# https://gitlab.com/libvirt/libvirt/-/commit/a1f48bca077e2f3377f29d746efd4310b8a2910f +Patch0019: 0017-bugfix-for-CVE-2025-12748-3.patch +# https://gitlab.com/libvirt/libvirt/-/commit/a6dcfee896f67bb8bdfdbb0b406ac7649fbb4c0f +Patch0020: 0017-bugfix-for-CVE-2025-12748-4.patch +# https://gitlab.com/libvirt/libvirt/-/commit/7285c10a7e70c430f85af7a2b3954892ab3c6d6b +Patch0021: 0017-bugfix-for-CVE-2025-12748-5.patch +# https://gitlab.com/libvirt/libvirt/-/commit/eb4322dfe8fff544d6dac01b2748c20f78f00d69 +Patch0022: 0017-bugfix-for-CVE-2025-12748-6.patch +# https://gitlab.com/libvirt/libvirt/-/commit/2a326c415a7e1cdd49989cc7e46b88d9ca90dd97 +Patch0023: 0017-bugfix-for-CVE-2025-12748-7.patch +# https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a +Patch0024: 0018-bugfix-for-CVE-2025-13193.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2169,6 +2185,9 @@ exit 0 %changelog +* Thu Nov 20 2025 YangCheng - 9.10.0-16 +- Add patch to fix CVE-2025-12748 and CVE-2025-13193 + * Thu Oct 23 2025 Yihao Yan - 9.10.0-15 - fix rpath - raising the test timeout