diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2013-10-10 13:09:08 +0100 |
|---|---|---|
| committer | Daniel P. Berrange <berrange@redhat.com> | 2013-10-21 14:19:05 +0100 |
| commit | 5b2cf134fa292637b53bf89c28f2e88e8ecfdf16 (patch) | |
| tree | 6a497321c4ab301539b1e9c888d187f7d92780e8 | |
| parent | bc116872291690bc18e475d51a65748122ddec44 (diff) | |
| download | libvirt-python-v6-5b2cf134fa292637b53bf89c28f2e88e8ecfdf16.tar.gz libvirt-python-v6-5b2cf134fa292637b53bf89c28f2e88e8ecfdf16.tar.xz libvirt-python-v6-5b2cf134fa292637b53bf89c28f2e88e8ecfdf16.zip | |
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.
The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.
Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc)
| -rw-r--r-- | Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index f327300..c9c2a8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -20,6 +20,7 @@ INCLUDES = \ $(PYTHON_INCLUDES) \ -I$(top_builddir)/gnulib/lib \ -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/src/util \ |