1. Patchew
  2. Libvirt
  3. View series

[PATCH] NEWS: Add CVE-2025-12748

Martin Kletzander via Devel posted 1 patch 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/6cd0d7951af5ab2eed49a8207f04e034113bfbcb.1764324325.git.mkletzan@redhat.com
NEWS.rst | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
[PATCH] NEWS: Add CVE-2025-12748
Posted by Martin Kletzander via Devel 2 weeks ago 
From: Martin Kletzander <mkletzan@redhat.com>

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
 NEWS.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index c742954091df..8cc6e698ca25 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -13,6 +13,22 @@ v11.10.0 (unreleased)
 
 * **Security**
 
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL checks
+    were performed.  Some valid, but useless, definitions could cause allocation
+    of too much memory, leading to denial of service. APIs which do equate to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be denied the
+    API call) to cause aforementioned overallocation even before the ACL checks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for the
+    identification parts of the XML definition (which is needed to perform the
+    checks) and full parsing is done only after checking all ACLs.
+
 * **Removed features**
 
 * **New features**
-- 
2.52.0
Re: [PATCH] NEWS: Add CVE-2025-12748
Posted by Jiri Denemark via Devel 2 weeks ago 
On Fri, Nov 28, 2025 at 11:05:25 +0100, Martin Kletzander wrote:
> From: Martin Kletzander <mkletzan@redhat.com>
> 
> Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
> ---
>  NEWS.rst | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/NEWS.rst b/NEWS.rst
> index c742954091df..8cc6e698ca25 100644
> --- a/NEWS.rst
> +++ b/NEWS.rst
> @@ -13,6 +13,22 @@ v11.10.0 (unreleased)
>  
>  * **Security**
>  
> +  * CVE-2025-12748: Denial of service by some ACL-limited accounts
> +
> +    Parsing of user provided XMLs in APIs which needed the identification
> +    information from those XML definitions was done in full before ACL checks
> +    were performed.  Some valid, but useless, definitions could cause allocation
> +    of too much memory, leading to denial of service. APIs which do equate to
> +    full root access (such as ``domain:write``), and were parsing XML
> +    definitions in full before performing ACL checks could, potentially, be
> +    exploited in a way that would allow users (which were about to be denied the
> +    API call) to cause aforementioned overallocation even before the ACL checks
> +    were performed.
> +
> +    A change was made so that parsing before ACL checks are done only for the
> +    identification parts of the XML definition (which is needed to perform the
> +    checks) and full parsing is done only after checking all ACLs.
> +
>  * **Removed features**
>  
>  * **New features**

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Re: [PATCH] NEWS: Add CVE-2025-12748
Posted by Martin Kletzander via Devel 2 weeks ago 
On Fri, Nov 28, 2025 at 11:45:34AM +0100, Jiri Denemark wrote:
>On Fri, Nov 28, 2025 at 11:05:25 +0100, Martin Kletzander wrote:
>> From: Martin Kletzander <mkletzan@redhat.com>
>>
>> Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
>> ---
>>  NEWS.rst | 16 ++++++++++++++++
>>  1 file changed, 16 insertions(+)
>>
>> diff --git a/NEWS.rst b/NEWS.rst
>> index c742954091df..8cc6e698ca25 100644
>> --- a/NEWS.rst
>> +++ b/NEWS.rst
>> @@ -13,6 +13,22 @@ v11.10.0 (unreleased)
>>
>>  * **Security**
>>
>> +  * CVE-2025-12748: Denial of service by some ACL-limited accounts
>> +
>> +    Parsing of user provided XMLs in APIs which needed the identification
>> +    information from those XML definitions was done in full before ACL checks
>> +    were performed.  Some valid, but useless, definitions could cause allocation
>> +    of too much memory, leading to denial of service. APIs which do equate to
>> +    full root access (such as ``domain:write``), and were parsing XML
>> +    definitions in full before performing ACL checks could, potentially, be
>> +    exploited in a way that would allow users (which were about to be denied the
>> +    API call) to cause aforementioned overallocation even before the ACL checks
>> +    were performed.
>> +
>> +    A change was made so that parsing before ACL checks are done only for the
>> +    identification parts of the XML definition (which is needed to perform the
>> +    checks) and full parsing is done only after checking all ACLs.
>> +
>>  * **Removed features**
>>
>>  * **New features**
>
>Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
>

Ah, I forgot to add your R-b before pushing.  Sorry for that, I hope you
don't miss many internet points due to my error.  Have a nice weekend.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.