Overview

File a1f48bca-CVE-2025-12748-p3.patch of Package libvirt.42084

commit be66a9494d802cde7a3d42c9bb42163cb439d700
Author: Martin Kletzander <mkletzan@redhat.com>
Date:   Thu Nov 6 15:43:57 2025 +0100

    libxl: Check ACLs before parsing the whole domain XML
    
    Utilise the new virDomainDefIDsParseString() for that.
    
    Fixes: CVE-2025-12748
    References: bsc#1253278
    
    Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru>
    Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
    Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
    (cherry picked from commit a1f48bca077e2f3377f29d746efd4310b8a2910f)
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>

Index: libvirt-7.1.0/src/libxl/libxl_driver.c
===================================================================
--- libvirt-7.1.0.orig/src/libxl/libxl_driver.c
+++ libvirt-7.1.0/src/libxl/libxl_driver.c
@@ -1070,13 +1070,18 @@ libxlDomainCreateXML(virConnectPtr conn,
     if (flags & VIR_DOMAIN_START_VALIDATE)
         parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA;
 
-    if (!(def = virDomainDefParseString(xml, driver->xmlopt,
-                                        NULL, parse_flags)))
+    if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags)))
         goto cleanup;
 
     if (virDomainCreateXMLEnsureACL(conn, def) < 0)
         goto cleanup;
 
+    g_clear_pointer(&def, virDomainDefFree);
+
+    if (!(def = virDomainDefParseString(xml, driver->xmlopt,
+                                        NULL, parse_flags)))
+        goto cleanup;
+
     if (!(vm = virDomainObjListAdd(driver->domains, def,
                                    driver->xmlopt,
                                    VIR_DOMAIN_OBJ_LIST_ADD_LIVE |
@@ -2877,6 +2882,14 @@ libxlDomainDefineXMLFlags(virConnectPtr
     if (flags & VIR_DOMAIN_DEFINE_VALIDATE)
         parse_flags |= VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA;
 
+    if (!(def = virDomainDefIDsParseString(xml, driver->xmlopt, parse_flags)))
+        goto cleanup;
+
+    if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
+        goto cleanup;
+
+    g_clear_pointer(&def, virDomainDefFree);
+
     if (!(def = virDomainDefParseString(xml, driver->xmlopt,
                                         NULL, parse_flags)))
         goto cleanup;
@@ -2884,9 +2897,6 @@ libxlDomainDefineXMLFlags(virConnectPtr
     if (virXMLCheckIllegalChars("name", def->name, "\n") < 0)
         goto cleanup;
 
-    if (virDomainDefineXMLFlagsEnsureACL(conn, def) < 0)
-        goto cleanup;
-
     if (!(vm = virDomainObjListAdd(driver->domains, def,
                                    driver->xmlopt,
                                    0,
openSUSE Build Service is sponsored by
Places