]> xenbits.xensource.com Git - libvirt.git/commit
projects / libvirt.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b7fcc79) | patch
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
authorDaniel P. Berrange <berrange@redhat.com>
Thu, 10 Oct 2013 12:09:08 +0000 (13:09 +0100)
committerDaniel P. Berrange <berrange@redhat.com>
Mon, 21 Oct 2013 13:03:52 +0000 (14:03 +0100)
commit3e2f27e13b94f7302ad948bcacb5e02c859a25fc
tree1463bdfaaedde6b92b1d3fc2ef3188d10ae69f2atree
parentb7fcc799ad5d8f3e55b89b94e599903e3c092467commit | diff
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)

The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.

The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.

Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
12 files changed:
Makefile.am diff | blob | blame | history
config-post.h [new file with mode: 0644] blob
configure.ac diff | blob | blame | history
daemon/Makefile.am diff | blob | blame | history
examples/domain-events/events-c/Makefile.am diff | blob | blame | history
examples/hellolibvirt/Makefile.am diff | blob | blame | history
examples/openauth/Makefile.am diff | blob | blame | history
gnulib/lib/Makefile.am diff | blob | blame | history
python/Makefile.am diff | blob | blame | history
src/Makefile.am diff | blob | blame | history
src/libvirt.c diff | blob | blame | history
tools/Makefile.am diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.