[ubuntu/questing-security] libvirt 11.6.0-1ubuntu3.2 (Accepted)

[Marc Deslauriers]

libvirt (11.6.0-1ubuntu3.2) questing-security; urgency=medium

  * SECURITY UPDATE: memory consumption DoS via XML parsing
    - debian/patches/CVE-2025-12748-1.patch: add virDomainDefIDsParseString
      in src/conf/domain_conf.c, src/conf/domain_conf.h,
      src/libvirt_private.syms.
    - debian/patches/CVE-2025-12748-2.patch: check ACLs before parsing the
      whole domain XML in src/bhyve/bhyve_driver.c.
    - debian/patches/CVE-2025-12748-3.patch: check ACLs before parsing the
      whole domain XML in src/libxl/libxl_driver.c,
    - debian/patches/CVE-2025-12748-4.patch: check ACLs before parsing the
      whole domain XML in src/lxc/lxc_driver.c.
    - debian/patches/CVE-2025-12748-5.patch: check ACLs before parsing the
      whole domain XML in src/vz/vz_driver.c.
    - debian/patches/CVE-2025-12748-6.patch: check ACLs before parsing the
      whole domain XML in src/ch/ch_driver.c.
    - debian/patches/CVE-2025-12748-7.patch: check ACLs before parsing the
      whole domain XML in src/qemu/qemu_driver.c,
      src/qemu/qemu_migration.c, src/qemu/qemu_migration.h,
      src/qemu/qemu_saveimage.c, src/qemu/qemu_saveimage.h,
      src/qemu/qemu_snapshot.c.
    - debian/patches/CVE-2025-12748-8.patch: fix typo in bhyve driver in
      src/bhyve/bhyve_driver.c.
    - CVE-2025-12748
  * SECURITY UPDATE: incorrect world-readable permissions on snapshots
    - debian/patches/CVE-2025-13193.patch: set umask for qemu-img when
      creating external inactive snapshots in src/qemu/qemu_snapshot.c.
    - CVE-2025-13193

Date: 2025-12-08 19:02:24.106820+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/libvirt/11.6.0-1ubuntu3.2
-------------- next part --------------
Sorry, changesfile not available.