Re: [libvirt] [PATCH 1/3] Fix typo in identity code which is pre-requisite for CVE-2013-4311
On 09/23/2013 08:11 AM, Eric Blake wrote:
On 09/23/2013 05:46 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> The fix for CVE-2013-4311 had a pre-requisite enhancement
> to the identity code
>
> commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
> Author: Daniel P. Berrange <berrange(a)redhat.com>
> Date: Thu Aug 22 16:00:01 2013 +0100
>
> Also store user & group ID values in virIdentity
>
> This had a typo which caused the group ID to overwrite the
> user ID string. This meant any checks using this would have
> the wrong ID value. This only affected the ACL code, not the
> initial polkit auth. It also leaked memory.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> src/rpc/virnetserverclient.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
ACK
I'm pushing this to master on your behalf, so I can backport it to
v1.1.2-maint, v1.1.1-maint, and v1.1.0-maint; to minimize the time where
those branches are broken. I'll let you push the other two when you are
ready (tests help, but missing a test doesn't hold up a maint branch).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)