Upstream has announced a security issue on October 17: https://www.redhat.com/archives/libguestfs/2013-October/msg00031.html The announcement contains a patch. The issue is fixed in 1.24, as indicated in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1016960 Reproducible: Steps to Reproduce:
Fix uploaded to cauldron. Freeze push requested.
Status: NEW => RESOLVEDResolution: (none) => FIXED
It has not yet been uploaded, reopening. We can close when it's pushed.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Thomas did push this in Cauldron, but the build failed (due to an unpackaged man page): http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20131023142712.tmb.valstar.6033/log/libguestfs-1.24.0-2.mga4/build.0.20131023142726.log Also, I noticed in the build log a "supermin" command that looks like it's downloading a bunch of packages. If I'm not mistaken, package builds shouldn't download things. It looks like it's just Mageia packages it downloaded, so with proper BuildRequires I'd think it should be able to get the files it needs directly from the build chroot.
CC: (none) => tmb
Ok, it's built now and uploaded in libguestfs-1.24.0-2.mga4.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
The problem with putting in buildrequires is that libguestfs calls supermin which calls urpmi to install the rpm onto the virtual guest disk. A build requires would unpack the rpms into the chroot environment, but not the virtual disk which is created by libguestfs. Assuming that everything works the way that I think it does, the supermin actually doesn't download the rpm's from the network, but from the build cache.
URL: (none) => http://lwn.net/Vulnerabilities/571976/