Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFOrmatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238. Upstream patch: https://www.redhat.com/archives/libvir-list/2011-May/msg01935.html
Created libvirt tracking bugs for this issue Affects: fedora-15 [bug 709775] Affects: fedora-rawhide [bug 709777]
Statement: Not vulnerable. This issue did not affect the version of libvirt as shipped with Red Hat Enterprise Linux 5 and 6 as we did not backport upstream commit d6623003.
verify pass on kernel-2.6.32-156.el6.x86_64 qemu-kvm-0.12.1.2-2.165.el6.x86_64 libvirt-0.9.2-1.el6.x86_64 steps : 1. $ truncate --size=10M bottom.img $ qemu-img create -f qcow2 -o backing_file=bottom.img middle.img $ qemu-img create -f qcow2 -o backing_file=middle.img top.img 2. setenforce 0 3. prepare a guest and attach second disk with <disk type='block' device='disk'> <driver name='qemu' type='qcow2'/> <source dev='/path/to/top.img'/> <target dev='hdb' bus='ide'/> </disk> 4. start guest 5. see the bottom.img ownership should be root:root while guest is running