Overview

File a379327d-CVE-2025-13193.patch of Package libvirt.42084

commit b10c648df9e390316a1e6dfc7e3d3946eeb12e46
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Wed Nov 12 17:52:05 2025 +0100

    qemu: snapshot: Set umask for 'qemu-img' when creating external inactive snapshots
    
    External inactive snapshots are created by invoking 'qemu-img' which
    creates the file. Currently qemu-img creates image with mode 644 based
    on default umask as libvirt doesn't set any.
    
    Having a world-readable image is obviously wrong so set the umask to
    077 to have the file readable only by the owner.
    
    Resolves: https://bugs.debian.org/1120119
    References: bsc#1253703, CVE-2025-13193
    
    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
    (cherry picked from commit a379327d8abcde8ac8d3e16fe5e4ba6f790d767a)
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>

Index: libvirt-7.1.0/src/qemu/qemu_snapshot.c
===================================================================
--- libvirt-7.1.0.orig/src/qemu/qemu_snapshot.c
+++ libvirt-7.1.0/src/qemu/qemu_snapshot.c
@@ -218,6 +218,9 @@ qemuSnapshotCreateInactiveExternal(virQE
                                          NULL)))
             goto cleanup;
 
+        /* ensure that new files are only readable by the user */
+        virCommandSetUmask(cmd, 0077);
+
         /* adds cmd line arg: backing_fmt=format,backing_file=/path/to/backing/file */
         virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=",
                           virStorageFileFormatTypeToString(defdisk->src->format));
openSUSE Build Service is sponsored by
Places