diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2013-10-10 13:09:08 +0100 |
---|---|---|
committer | Daniel P. Berrange <berrange@redhat.com> | 2013-10-21 14:03:52 +0100 |
commit | 15c6588cf5a54b513b254a6e445b3a3e02ad17dd (patch) | |
tree | bc6c8614e3e93a616692612bf09f52027d35be17 | |
parent | 90461df0cad131abf2abb8924360bab9dbc7f54b (diff) | |
download | libvirt-python-v7-15c6588cf5a54b513b254a6e445b3a3e02ad17dd.tar.gz libvirt-python-v7-15c6588cf5a54b513b254a6e445b3a3e02ad17dd.tar.xz libvirt-python-v7-15c6588cf5a54b513b254a6e445b3a3e02ad17dd.zip |
Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.
The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.
Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-rw-r--r-- | Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index f327300..c9c2a8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -20,6 +20,7 @@ INCLUDES = \ $(PYTHON_INCLUDES) \ -I$(top_builddir)/gnulib/lib \ -I$(top_srcdir)/gnulib/lib \ + -I$(top_srcdir) \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/src/util \ |