4:19 p.m.
Hi,
attached patch adds the missing checks for
https://bugzilla.redhat.com/show_bug.cgi?id=683650
O.k. to apply?
Cheers,
-- Guido
10:25 p.m.
On Sat, Mar 12, 2011 at 11:19:33PM +0100, Guido Günther wrote:
Hi,
attached patch adds the missing checks for
https://bugzilla.redhat.com/show_bug.cgi?id=683650
O.k. to apply?
Cheers,
-- Guido
This led me to review the full set of entry points.
Okay, ACK, I applied it, but I also added virConnectDomainXMLToNative
for the following reason:
paphio:~ -> grep shutdown test.xml
<emulator>/sbin/shutdown</emulator>
paphio:~ -> virsh --readonly -c qemu+ssh://test/system domxml-to-native
--format qemu-argv --xml test.xml
error: internal error Child process exited with status 1.
paphio:~ ->
Sure "/sbin/shutdown --help" fails, but it's still a remote
execution hazard which should not be allowed on readon only connections,
I prefer to close now since it's in same class of errors.
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
3:08 a.m.
Hi Daniel,
On Mon, Mar 14, 2011 at 11:25:08AM +0800, Daniel Veillard wrote:
On Sat, Mar 12, 2011 at 11:19:33PM +0100, Guido Günther wrote:
> Hi,
> attached patch adds the missing checks for
>
> https://bugzilla.redhat.com/show_bug.cgi?id=683650
>
> O.k. to apply?
> Cheers,
> -- Guido
This led me to review the full set of entry points.
Okay, ACK, I applied it, but I also added virConnectDomainXMLToNative
for the following reason:
paphio:~ -> grep shutdown test.xml
<emulator>/sbin/shutdown</emulator>
paphio:~ -> virsh --readonly -c qemu+ssh://test/system domxml-to-native
--format qemu-argv --xml test.xml
error: internal error Child process exited with status 1.
paphio:~ ->
Sure "/sbin/shutdown --help" fails, but it's still a remote
execution hazard which should not be allowed on readon only connections,
I prefer to close now since it's in same class of errors.
Good catch. I missed that one during my review. Thanks for applying the
patch!
Cheers,
-- Guido
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
3:23 a.m.
On Mon, Mar 14, 2011 at 09:08:36AM +0100, Guido Günther wrote:
Hi Daniel,
On Mon, Mar 14, 2011 at 11:25:08AM +0800, Daniel Veillard wrote:
> On Sat, Mar 12, 2011 at 11:19:33PM +0100, Guido Günther wrote:
> > Hi,
> > attached patch adds the missing checks for
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=683650
> >
> > O.k. to apply?
> > Cheers,
> > -- Guido
>
> This led me to review the full set of entry points.
> Okay, ACK, I applied it, but I also added virConnectDomainXMLToNative
> for the following reason:
>
> paphio:~ -> grep shutdown test.xml
> <emulator>/sbin/shutdown</emulator>
> paphio:~ -> virsh --readonly -c qemu+ssh://test/system domxml-to-native
> --format qemu-argv --xml test.xml
> error: internal error Child process exited with status 1.
>
> paphio:~ ->
>
> Sure "/sbin/shutdown --help" fails, but it's still a remote
> execution hazard which should not be allowed on readon only connections,
> I prefer to close now since it's in same class of errors.
Good catch. I missed that one during my review.
Well that one is a bit hidden, it's really due to way the internal
QEmu driver works, reverse operation should a priori be fine.
Thanks for applying the
patch!
No problem, thanks for chasing them, I think it's now 4 of us
who went though the full API set, hopefully we're safe now :-)
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
5003
days inactive
5005
days old
3 comments
2 participants
participants (2)
-
Daniel Veillard -
Guido Günther