Re: [PATCH for 6.6.0] news: Document recent CVE fix

Peter Krempa <pkrempa@xxxxxxxxxx> · Mon, 27 Jul 2020 10:04:27 +0200

On Mon, Jul 27, 2020 at 09:54:50 +0200, Michal Privoznik wrote:
> Document the fix of leaking /dev/mapper/control to QEMU (fixed in
> v6.6.0-rc1-3-g2249455654).
> 
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  NEWS.rst | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/NEWS.rst b/NEWS.rst
> index ff977968c7..8b53d21b8a 100644
> --- a/NEWS.rst
> +++ b/NEWS.rst
> @@ -33,6 +33,13 @@ v6.6.0 (unreleased)
>  
>  * **Bug fixes**
>  
> +  * virdevmapper: Don't use libdevmapper to obtain dependencies
> +
> +    When building domain's private ``/dev`` in a namespace, libdevmapper was
> +    consulted for getting full dependency tree of domain's disks. However, this
> +    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
> +    and was leaked to QEMU. CVE-2020-14339

I see that these were pushed now, but I can't find them in the list. I
presume you went through libvirt-security for review. Please post them
to libvir-list anyways for future reference.