[PATCH] NEWS: Add CVE-2025-12748
From: Martin Kletzander <mkletzan@redhat.com> Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index c742954091df..8cc6e698ca25 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,22 @@ v11.10.0 (unreleased) * **Security** + * CVE-2025-12748: Denial of service by some ACL-limited accounts + + Parsing of user provided XMLs in APIs which needed the identification + information from those XML definitions was done in full before ACL checks + were performed. Some valid, but useless, definitions could cause allocation + of too much memory, leading to denial of service. APIs which do equate to + full root access (such as ``domain:write``), and were parsing XML + definitions in full before performing ACL checks could, potentially, be + exploited in a way that would allow users (which were about to be denied the + API call) to cause aforementioned overallocation even before the ACL checks + were performed. + + A change was made so that parsing before ACL checks are done only for the + identification parts of the XML definition (which is needed to perform the + checks) and full parsing is done only after checking all ACLs. + * **Removed features** * **New features** -- 2.52.0
On Fri, Nov 28, 2025 at 11:05:25 +0100, Martin Kletzander wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst index c742954091df..8cc6e698ca25 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,22 @@ v11.10.0 (unreleased)
* **Security**
+ * CVE-2025-12748: Denial of service by some ACL-limited accounts + + Parsing of user provided XMLs in APIs which needed the identification + information from those XML definitions was done in full before ACL checks + were performed. Some valid, but useless, definitions could cause allocation + of too much memory, leading to denial of service. APIs which do equate to + full root access (such as ``domain:write``), and were parsing XML + definitions in full before performing ACL checks could, potentially, be + exploited in a way that would allow users (which were about to be denied the + API call) to cause aforementioned overallocation even before the ACL checks + were performed. + + A change was made so that parsing before ACL checks are done only for the + identification parts of the XML definition (which is needed to perform the + checks) and full parsing is done only after checking all ACLs. + * **Removed features**
* **New features**
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
On Fri, Nov 28, 2025 at 11:45:34AM +0100, Jiri Denemark wrote:
On Fri, Nov 28, 2025 at 11:05:25 +0100, Martin Kletzander wrote:
From: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- NEWS.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst index c742954091df..8cc6e698ca25 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,22 @@ v11.10.0 (unreleased)
* **Security**
+ * CVE-2025-12748: Denial of service by some ACL-limited accounts + + Parsing of user provided XMLs in APIs which needed the identification + information from those XML definitions was done in full before ACL checks + were performed. Some valid, but useless, definitions could cause allocation + of too much memory, leading to denial of service. APIs which do equate to + full root access (such as ``domain:write``), and were parsing XML + definitions in full before performing ACL checks could, potentially, be + exploited in a way that would allow users (which were about to be denied the + API call) to cause aforementioned overallocation even before the ACL checks + were performed. + + A change was made so that parsing before ACL checks are done only for the + identification parts of the XML definition (which is needed to perform the + checks) and full parsing is done only after checking all ACLs. + * **Removed features**
* **New features**
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Ah, I forgot to add your R-b before pushing. Sorry for that, I hope you don't miss many internet points due to my error. Have a nice weekend.
participants (2)
-
Jiri Denemark -
Martin Kletzander