From nobody Fri Dec 12 13:18:44 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1764324487; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ENiZ7bu8iTyLD+845DehatIUbtLxH4fAcDQipnjbRMqqxk/HaeFtK1FFP6Csc/XlPEqhK48vW9//OJpCIJIoEGPIghdts12Aqa4JbzFAWTnM40tCPabedYanIOzQQhlo85nin+ty//l/Nxg9G8D+h8mxizqjH9O+HP9YQULIzaU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1764324487;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id:Cc;
	bh=hvnBTFlF7jM489btQgc+JZk+4QLM5N2+D06Dv5LqIhU=;
	b=RiD5tI8ljbWUVsYOUZL43hcY9GgeonLuMqOnIR3OAmAje91nI+EFfyw5/09Tk1IUc230dE1aJ9k1eMtk/vjXVXqu+TBZPSzepyTrPxVxkDJMroa9nMq//I+a/PIIXjHA8lGoDth7s1T4UEKuML258PHC5hEHpJcLeB40WGCmUYg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1764324486995970.0074178515129;
 Fri, 28 Nov 2025 02:08:06 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 3557B44BE0; Fri, 28 Nov 2025 05:08:06 -0500 (EST)
Received: from [172.19.199.74] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id AFF0244C02;
	Fri, 28 Nov 2025 05:07:29 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 28E45443A8; Fri, 28 Nov 2025 05:05:35 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A22F7443B9
	for <devel@lists.libvirt.org>; Fri, 28 Nov 2025 05:05:32 -0500 (EST)
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-3-HiWgbZMUPumTsOENVXN_Wg-1; Fri, 28 Nov 2025 05:05:30 -0500
Received: by mail-wr1-f69.google.com with SMTP id
 ffacd0b85a97d-42b2e448bd9so1093257f8f.1
        for <devel@lists.libvirt.org>; Fri, 28 Nov 2025 02:05:30 -0800 (PST)
Received: from wheatley.localdomain ([213.175.46.86])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42e1c5c3016sm8980040f8f.1.2025.11.28.02.05.28
        for <devel@lists.libvirt.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Nov 2025 02:05:28 -0800 (PST)
Received: from wheatley.pinto-pinecone.ts.net (wheatley.k8r.cz [127.0.0.1])
	by wheatley.localdomain (Postfix) with ESMTP id 2E307E5B0EA7
	for <devel@lists.libvirt.org>; Fri, 28 Nov 2025 11:05:28 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1764324332;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hvnBTFlF7jM489btQgc+JZk+4QLM5N2+D06Dv5LqIhU=;
	b=HKBmP8VFkl/zVRfjFvh+bhXUY5negeoWnXkJBjpPX64uZnLj1U6EiaeZhC/dnr+DYvun5l
	X/f13WrNmqQtjeM2QS2Id+b12lT+9W0o3/ryuI7lNU40t9zwkP9rkS/QVwxNAwSLBpSY4s
	4yGqr44aVa0/X1d/yNGLT2YAZyH8CWo=
X-MC-Unique: HiWgbZMUPumTsOENVXN_Wg-1
X-Mimecast-MFC-AGG-ID: HiWgbZMUPumTsOENVXN_Wg_1764324329
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764324329; x=1764929129;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=hvnBTFlF7jM489btQgc+JZk+4QLM5N2+D06Dv5LqIhU=;
        b=r2BMWuKEmHNCof62qd0DvDJtrgMbQGO+vjg0/HPeBULKcboVYh3K5GhSIn3wS2VtHE
         duJicCbmG3DAfrvJtSVmk40SGwrpRJ3MrfCXdadGzyENzXNRYQagqYff7PB/JalLyZz9
         AEXAgFBz1/gt8i24USqHCG5OAdSgaPmY7nD1fc8O12EXJoNKSDO4yZweQrZ3bO3DKRbV
         2APJsiuFXZzPaIVSb510TOeFsSZwhpA080xxwZuD1ClRuQcwTkBtCwcwunrbILUrHTKo
         TUMZgHBAC6vknj6WmaZ3vWCKotdY87iWTWa8jHyVrRwCrq+zzi43wXs2yviRL4FBReMO
         w/Sw==
X-Gm-Message-State: AOJu0YxY69gidjZG6/DxEvRlQDI7cUAjlB8oiiJp1o1I9SVFEcUIOrz8
	lI/sLq/qDL3rIuiFncKj9VPIse80O1pDc+REpJf9J8IAYlpNw3G7iiPq6EYxAnZ3YIT2NxnacuF
	+RKFVj9Y9txLDUvOuE2YZKX6BvA511ekXObCJ4hRIvvDN70lPZ54mEUOuL1O/9X7TIMsVu/C5lR
	JmbCvAvtQt/05hM37BDQw9fZEhYT5HGM4R9JIuPirWxvw=
X-Gm-Gg: ASbGncu2aadfUf69/4S/sdj7/z5oXMJ9952WpPPi2TSpkzl7SpN88GDGvDM2zvmxov5
	GR7UO0/+MBkLmb1eOcYjlfvQsZGTjx91SEApcHKitHqptk3Nqa6t1QaKpJMn5e6DfQX9yFcb6kB
	YAxoTUDCFgOKpzvzpoY17g8ww59i0EjIm+BnJy/OVFpJJfJGfoeiSe8JOSL+sP3eDDyWnzd917v
	zR+PyYQ80VvY1vnqIbxlRY2EH0LRt0AaFezt5S09lXLo98Yqv8+doq0rJZu6Cn7mYID+MBf0Ur6
	g77j6CJJ1SxuqDAl6jQl2memQ9asTW8MOPvWzNp+ZDCOdfnTM/9TauQMRAGhBTqZXO7+gnCj/OY
	JcP0JCoUaVw==
X-Received: by 2002:a5d:5d85:0:b0:429:c851:69a3 with SMTP id
 ffacd0b85a97d-42e0f1fc8c3mr14199131f8f.6.1764324329429;
        Fri, 28 Nov 2025 02:05:29 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFA5Fm3aNnZgTCk061qRqPOa/Kvk37uAuOnNUSmXHI+ng02II9DmBipN7cBEg4I7cq/nb88Wg==
X-Received: by 2002:a5d:5d85:0:b0:429:c851:69a3 with SMTP id
 ffacd0b85a97d-42e0f1fc8c3mr14199082f8f.6.1764324328905;
        Fri, 28 Nov 2025 02:05:28 -0800 (PST)
To: devel@lists.libvirt.org
Subject: [PATCH] NEWS: Add CVE-2025-12748
Date: Fri, 28 Nov 2025 11:05:25 +0100
Message-ID: 
 <6cd0d7951af5ab2eed49a8207f04e034113bfbcb.1764324325.git.mkletzan@redhat.com>
X-Mailer: git-send-email 2.52.0
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: MyyMdsaP94XSnXz4JOHXyk4sK94m91afc53uuz9B-OQ_1764324329
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7GA7JM2UKGX5RYWENR2PIM2SZNRZIUPU
X-Message-ID-Hash: 7GA7JM2UKGX5RYWENR2PIM2SZNRZIUPU
X-MailFrom: mkletzan@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7GA7JM2UKGX5RYWENR2PIM2SZNRZIUPU/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Martin Kletzander via Devel <devel@lists.libvirt.org>
Reply-To: Martin Kletzander <mkletzan@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1764324491420019200
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Martin Kletzander <mkletzan@redhat.com>

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---
 NEWS.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index c742954091df..8cc6e698ca25 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -13,6 +13,22 @@ v11.10.0 (unreleased)
=20
 * **Security**
=20
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL che=
cks
+    were performed.  Some valid, but useless, definitions could cause allo=
cation
+    of too much memory, leading to denial of service. APIs which do equate=
 to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be deni=
ed the
+    API call) to cause aforementioned overallocation even before the ACL c=
hecks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for =
the
+    identification parts of the XML definition (which is needed to perform=
 the
+    checks) and full parsing is done only after checking all ACLs.
+
 * **Removed features**
=20
 * **New features**
--=20
2.52.0