libvirt: fix CVE-2025-13193scarthgap

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-13193 Upstream-patch: https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Praveen Kumar <praveen.kumar@windriver.com> 2025-11-27 18:07:34 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-12-02 00:02:34 -0500
commit: 17ac21e7d7f6f40a87618b22278b63bcfa14dbf2 (patch)
tree: 96cca3f4d6976c99244361ec7bf67b7589001748
parent: 389090e499839119d4d9b55a6867663beaac4520 (diff)
download: meta-virtualization-scarthgap.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch
new file mode 100644
index 00000000..1ce5de38
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch
@@ -0,0 +1,40 @@
+From a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 12 Nov 2025 17:52:05 +0100
+Subject: [PATCH] qemu: snapshot: Set umask for 'qemu-img' when creating
+ external inactive snapshots
+External inactive snapshots are created by invoking 'qemu-img' which
+creates the file. Currently qemu-img creates image with mode 644 based
+on default umask as libvirt doesn't set any.
+Having a world-readable image is obviously wrong so set the umask to
+077 to have the file readable only by the owner.
+Resolves: https://bugs.debian.org/1120119
+CVE: CVE-2025-13193
+Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/qemu/qemu_snapshot.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c
+index 73ff533..9819448 100644
+--- a/src/qemu/qemu_snapshot.c
+++ b/src/qemu/qemu_snapshot.c
+@@ -233,6 +233,9 @@ qemuSnapshotCreateQcow2Files(virQEMUDriver *driver,
+                                          NULL)))
+             return -1;
+        /* ensure that new files are only readable by the user */
+        virCommandSetUmask(cmd, 0077);
+
+         /* adds cmd line arg: backing_fmt=format,backing_file=/path/to/backing/file */
+         virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=",
+                           virStorageFileFormatTypeToString(defdisk->src->format));
+--
+2.40.0
diff --git a/recipes-extended/libvirt/libvirt_10.0.0.bb b/recipes-extended/libvirt/libvirt_10.0.0.bb
index 22193ff3..c6e6069c 100644
--- a/recipes-extended/libvirt/libvirt_10.0.0.bb
+++ b/recipes-extended/libvirt/libvirt_10.0.0.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://CVE-2024-1441.patch \
           file://CVE-2024-2494.patch \
           file://CVE-2024-4418.patch \
+           file://CVE-2025-13193.patch \
          "
 SRC_URI[libvirt.sha256sum] = "8ba2e72ec8bdd2418554a1474c42c35704c30174b7611eaf9a16544b71bcf00a"
author	Praveen Kumar <praveen.kumar@windriver.com>	2025-11-27 18:07:34 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-12-02 00:02:34 -0500
commit	17ac21e7d7f6f40a87618b22278b63bcfa14dbf2 (patch)
tree	96cca3f4d6976c99244361ec7bf67b7589001748
parent	389090e499839119d4d9b55a6867663beaac4520 (diff)
download	meta-virtualization-scarthgap.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch new file mode 100644 index 00000000..1ce5de38 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2025-13193.patch
@@ -0,0 +1,40 @@
		1	From a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Mon Sep 17 00:00:00 2001
		2	From: Peter Krempa <pkrempa@redhat.com>
		3	Date: Wed, 12 Nov 2025 17:52:05 +0100
		4	Subject: [PATCH] qemu: snapshot: Set umask for 'qemu-img' when creating
		5	external inactive snapshots
		6
		7	External inactive snapshots are created by invoking 'qemu-img' which
		8	creates the file. Currently qemu-img creates image with mode 644 based
		9	on default umask as libvirt doesn't set any.
		10
		11	Having a world-readable image is obviously wrong so set the umask to
		12	077 to have the file readable only by the owner.
		13
		14	Resolves: https://bugs.debian.org/1120119
		15
		16	CVE: CVE-2025-13193
		17
		18	Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a]
		19
		20	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		21	---
		22	src/qemu/qemu_snapshot.c \| 3 +++
		23	1 file changed, 3 insertions(+)
		24
		25	diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c
		26	index 73ff533..9819448 100644
		27	--- a/src/qemu/qemu_snapshot.c
		28	+++ b/src/qemu/qemu_snapshot.c
		29	@@ -233,6 +233,9 @@ qemuSnapshotCreateQcow2Files(virQEMUDriver *driver,
		30	NULL)))
		31	return -1;
		32
		33	+ /* ensure that new files are only readable by the user */
		34	+ virCommandSetUmask(cmd, 0077);
		35	+
		36	/* adds cmd line arg: backing_fmt=format,backing_file=/path/to/backing/file */
		37	virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=",
		38	virStorageFileFormatTypeToString(defdisk->src->format));
		39	--
		40	2.40.0


diff --git a/recipes-extended/libvirt/libvirt_10.0.0.bb b/recipes-extended/libvirt/libvirt_10.0.0.bb index 22193ff3..c6e6069c 100644 --- a/recipes-extended/libvirt/libvirt_10.0.0.bb +++ b/recipes-extended/libvirt/libvirt_10.0.0.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
37	file://CVE-2024-1441.patch \	37	file://CVE-2024-1441.patch \
38	file://CVE-2024-2494.patch \	38	file://CVE-2024-2494.patch \
39	file://CVE-2024-4418.patch \	39	file://CVE-2024-4418.patch \
		40	file://CVE-2025-13193.patch \
40	"	41	"
41		42
42	SRC_URI[libvirt.sha256sum] = "8ba2e72ec8bdd2418554a1474c42c35704c30174b7611eaf9a16544b71bcf00a"	43	SRC_URI[libvirt.sha256sum] = "8ba2e72ec8bdd2418554a1474c42c35704c30174b7611eaf9a16544b71bcf00a"