[ubuntu/resolute-proposed] libvirt 11.6.0-1ubuntu7 (Accepted)

[Marc Deslauriers]

libvirt (11.6.0-1ubuntu7) resolute; urgency=medium

  * SECURITY UPDATE: memory consumption DoS via XML parsing
    - debian/patches/CVE-2025-12748-1.patch: add virDomainDefIDsParseString
      in src/conf/domain_conf.c, src/conf/domain_conf.h,
      src/libvirt_private.syms.
    - debian/patches/CVE-2025-12748-2.patch: check ACLs before parsing the
      whole domain XML in src/bhyve/bhyve_driver.c.
    - debian/patches/CVE-2025-12748-3.patch: check ACLs before parsing the
      whole domain XML in src/libxl/libxl_driver.c,
    - debian/patches/CVE-2025-12748-4.patch: check ACLs before parsing the
      whole domain XML in src/lxc/lxc_driver.c.
    - debian/patches/CVE-2025-12748-5.patch: check ACLs before parsing the
      whole domain XML in src/vz/vz_driver.c.
    - debian/patches/CVE-2025-12748-6.patch: check ACLs before parsing the
      whole domain XML in src/ch/ch_driver.c.
    - debian/patches/CVE-2025-12748-7.patch: check ACLs before parsing the
      whole domain XML in src/qemu/qemu_driver.c,
      src/qemu/qemu_migration.c, src/qemu/qemu_migration.h,
      src/qemu/qemu_saveimage.c, src/qemu/qemu_saveimage.h,
      src/qemu/qemu_snapshot.c.
    - debian/patches/CVE-2025-12748-8.patch: fix typo in bhyve driver in
      src/bhyve/bhyve_driver.c.
    - CVE-2025-12748
  * SECURITY UPDATE: incorrect world-readable permissions on snapshots
    - debian/patches/CVE-2025-13193.patch: set umask for qemu-img when
      creating external inactive snapshots in src/qemu/qemu_snapshot.c.
    - CVE-2025-13193

Date: Mon, 08 Dec 2025 09:16:59 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/libvirt/11.6.0-1ubuntu7
-------------- next part --------------
Format: 1.8
Date: Mon, 08 Dec 2025 09:16:59 -0500
Source: libvirt
Built-For-Profiles: noudeb
Architecture: source
Version: 11.6.0-1ubuntu7
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 libvirt (11.6.0-1ubuntu7) resolute; urgency=medium
 .
   * SECURITY UPDATE: memory consumption DoS via XML parsing
     - debian/patches/CVE-2025-12748-1.patch: add virDomainDefIDsParseString
       in src/conf/domain_conf.c, src/conf/domain_conf.h,
       src/libvirt_private.syms.
     - debian/patches/CVE-2025-12748-2.patch: check ACLs before parsing the
       whole domain XML in src/bhyve/bhyve_driver.c.
     - debian/patches/CVE-2025-12748-3.patch: check ACLs before parsing the
       whole domain XML in src/libxl/libxl_driver.c,
     - debian/patches/CVE-2025-12748-4.patch: check ACLs before parsing the
       whole domain XML in src/lxc/lxc_driver.c.
     - debian/patches/CVE-2025-12748-5.patch: check ACLs before parsing the
       whole domain XML in src/vz/vz_driver.c.
     - debian/patches/CVE-2025-12748-6.patch: check ACLs before parsing the
       whole domain XML in src/ch/ch_driver.c.
     - debian/patches/CVE-2025-12748-7.patch: check ACLs before parsing the
       whole domain XML in src/qemu/qemu_driver.c,
       src/qemu/qemu_migration.c, src/qemu/qemu_migration.h,
       src/qemu/qemu_saveimage.c, src/qemu/qemu_saveimage.h,
       src/qemu/qemu_snapshot.c.
     - debian/patches/CVE-2025-12748-8.patch: fix typo in bhyve driver in
       src/bhyve/bhyve_driver.c.
     - CVE-2025-12748
   * SECURITY UPDATE: incorrect world-readable permissions on snapshots
     - debian/patches/CVE-2025-13193.patch: set umask for qemu-img when
       creating external inactive snapshots in src/qemu/qemu_snapshot.c.
     - CVE-2025-13193
Checksums-Sha1:
 913e081508df19e8d02c8a62bde5307c5e877e23 7630 libvirt_11.6.0-1ubuntu7.dsc
 36bf28988d4a490924fc33716725d5da4fef0b33 126480 libvirt_11.6.0-1ubuntu7.debian.tar.xz
 962de90bb4fa8eaef815e55725e891689dd63432 14851 libvirt_11.6.0-1ubuntu7_source.buildinfo
Checksums-Sha256:
 1653a23ea895270b8c080f7e1fef37bd88a18668e142007055a2d81fa1c7acd6 7630 libvirt_11.6.0-1ubuntu7.dsc
 ecd142269d14fd8154dee3d2538bc97714c6ae138f15344780ff5fcec1b75c9d 126480 libvirt_11.6.0-1ubuntu7.debian.tar.xz
 ea0c846a6d91ea6ca8bbaece8cd457f32de8dbca23b7a5fb56a24e78f7e06cad 14851 libvirt_11.6.0-1ubuntu7_source.buildinfo
Files:
 6d3de4e56be4976c1de15bed7a4cfd94 7630 libs optional libvirt_11.6.0-1ubuntu7.dsc
 4bdcc19131283520b26125f27a355473 126480 libs optional libvirt_11.6.0-1ubuntu7.debian.tar.xz
 8e77ef7fc2761401f6ecbb549e8f14af 14851 libs optional libvirt_11.6.0-1ubuntu7_source.buildinfo
Original-Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers at lists.alioth.debian.org>