The XML getters for for save images and snapshots objects don't check ACLs
for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive
A remote attacker able to establish a connection to libvirtd
could use this flaw to cause leak certain limited information from the
domain xml file.
This issue was found by Luyao Huang of Red Hat.
Upstream security notice:
Created libvirt tracking bugs for this issue:
Affects: fedora-all [bug 1185769]
libvirt-184.108.40.206-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libvirt-220.127.116.11-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0323 https://rhn.redhat.com/errata/RHSA-2015-0323.html