Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-emulation/libvirt: Backport fixes for two CVEs #36242

Closed
wants to merge 2 commits into from
Closed

app-emulation/libvirt: Backport fixes for two CVEs #36242

wants to merge 2 commits into from

Conversation

zippy2
Copy link
Contributor

@zippy2 zippy2 commented Apr 13, 2024

Two CVEs were identified recently. Unfortunately, they affect nearly all versions in portage. On the up side - both flaws can be triggered only when using libvirt's RPC directly, i.e. apps using libvirt APIs are NOT affected.

@gentoo-bot
Copy link

Pull Request assignment

Submitter: @zippy2
Areas affected: ebuilds
Packages affected: app-emulation/libvirt

app-emulation/libvirt: @tamiko, @zippy2, @gentoo/virtualization

Linked bugs

No bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment.

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). labels Apr 13, 2024
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2024-04-13 19:25 UTC
Newest commit scanned: 9241f9b
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/3bd7ccd3dd/output.html

@thesamesam
Copy link
Member

Sorry I didn't notice this before -- would you mind filing a security bug on bugs.gentoo.org and tagging it with Bug: in this commit?

Also, note that while git mv is not ideal for patches sometimes, I think it's okay here, as the change is obviously right

@zippy2
Copy link
Contributor Author

zippy2 commented Apr 13, 2024

Sorry I didn't notice this before -- would you mind filing a security bug on bugs.gentoo.org and tagging it with Bug: in this commit?

Sure thing.

Also, note that while git mv is not ideal for patches sometimes, I think it's okay here, as the change is obviously right

How come? What else should I used?

@thesamesam
Copy link
Member

The reason being that patches may introduce regressions, and by doing git mv here, you're not allowing people to downgrade easily and we also circumvent the stabilisation process.

But in this case, they're just introducing bounds checks, so given it's a security bug, it's probably fine.

The alternative is to cp each relevant version to -rN+1 and ekeyword ~all them, then file a stable bug (shorter than 30 days like usual) for them quickly.

@zippy2
app-emulation/libvirt: Backport fix for CVE-2024-1441
9f4beca 
The fix made it into app-emulation/libvirt-10.1.0 release.
Backport the fix into anything older.

https://nvd.nist.gov/vuln/detail/CVE-2024-1441

Bug: https://bugs.gentoo.org/929965
Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
@zippy2
app-emulation/libvirt: Backport fix for CVE-2024-2494
ba2242a 
The fix made it into app-emulation/libvirt-10.2.0 release.
Backport the fix into anything older.

https://nvd.nist.gov/vuln/detail/CVE-2024-2494

Bug: https://bugs.gentoo.org/929966
Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
@zippy2
Copy link
Contributor Author

zippy2 commented Apr 13, 2024

Ah, nuances of upstream vs downstream development.

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2024-04-13 20:09 UTC
Newest commit scanned: 45cb1ee
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/48280b6bfd/output.html

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2024-04-13 20:29 UTC
Newest commit scanned: ba2242a
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/d9ba17a79f/output.html

@zippy2 zippy2 deleted the libvirt branch April 14, 2024 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thesamesam thesamesam thesamesam left review comments

Assignees
No one assigned
Labels
assigned PR successfully assigned to the package maintainer(s). self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else)
Projects
None yet
Milestone
No milestone
4 participants
@zippy2 @gentoo-bot @gentoo-repo-qa-bot @thesamesam