api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: NMatthias Gerstner <mgerstner@suse.de> Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
mentioned in commit 4e16e7a3
-
mentioned in commit 99ac102b
-
mentioned in commit fa2016e7
-
mentioned in commit 470d6f55
-
mentioned in commit 980109c4
-
mentioned in commit 221397df
-
mentioned in commit b22baef3
-
mentioned in commit a8ae1784
-
mentioned in commit 70e83151
-
mentioned in commit a9e40f23
-
mentioned in commit dea40b42
-
mentioned in commit 97829dcb
-
mentioned in commit fb8c9f13
-
mentioned in commit ff5c64b9
-
mentioned in commit 8cf159fe
-
mentioned in commit 1f8129c5
-
mentioned in commit 35725648
-
mentioned in commit 7312304e
-
mentioned in commit 8832b8a4
-
mentioned in commit bafe00de
-
mentioned in commit a2765964
-
mentioned in commit 6a028b6e
-
mentioned in commit 3352c8af
-
mentioned in commit 56fadbbb
-
mentioned in commit 568c735d
-
mentioned in commit 6aa0c85b
-
mentioned in commit 111bb655
-
mentioned in commit 3d9c8914
-
mentioned in commit dae67675