On 09/23/2013 08:11 AM, Eric Blake wrote:
On 09/23/2013 05:46 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
The fix for CVE-2013-4311 had a pre-requisite enhancement to the identity code
commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176 Author: Daniel P. Berrange <berrange@redhat.com> Date: Thu Aug 22 16:00:01 2013 +0100
Also store user & group ID values in virIdentity
This had a typo which caused the group ID to overwrite the user ID string. This meant any checks using this would have the wrong ID value. This only affected the ACL code, not the initial polkit auth. It also leaked memory.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/rpc/virnetserverclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ACK
I'm pushing this to master on your behalf, so I can backport it to v1.1.2-maint, v1.1.1-maint, and v1.1.0-maint; to minimize the time where those branches are broken. I'll let you push the other two when you are ready (tests help, but missing a test doesn't hold up a maint branch). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org