New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
app-emulation/libvirt: Backport fixes for two CVEs #36242
Conversation
Pull Request assignmentSubmitter: @zippy2 app-emulation/libvirt: @tamiko, @zippy2, @gentoo/virtualization Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
Pull request CI reportReport generated at: 2024-04-13 19:25 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Sorry I didn't notice this before -- would you mind filing a security bug on bugs.gentoo.org and tagging it with Also, note that while |
Sure thing.
How come? What else should I used? |
The reason being that patches may introduce regressions, and by doing But in this case, they're just introducing bounds checks, so given it's a security bug, it's probably fine. The alternative is to |
The fix made it into app-emulation/libvirt-10.1.0 release. Backport the fix into anything older. https://nvd.nist.gov/vuln/detail/CVE-2024-1441 Bug: https://bugs.gentoo.org/929965 Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
The fix made it into app-emulation/libvirt-10.2.0 release. Backport the fix into anything older. https://nvd.nist.gov/vuln/detail/CVE-2024-2494 Bug: https://bugs.gentoo.org/929966 Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
Ah, nuances of upstream vs downstream development. |
Pull request CI reportReport generated at: 2024-04-13 20:09 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Pull request CI reportReport generated at: 2024-04-13 20:29 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Two CVEs were identified recently. Unfortunately, they affect nearly all versions in portage. On the up side - both flaws can be triggered only when using libvirt's RPC directly, i.e. apps using libvirt APIs are NOT affected.