2249455654
CVE-2020-14339 When building domain's private /dev in a namespace, libdevmapper is consulted for getting full dependency tree of domain's disks. The reason is that for a multipath devices all dependent devices must be created in the namespace and allowed in CGroups. However, this approach is very fragile as building of namespace happens in the forked off child process, after mass close of FDs and just before dropping privileges and execing QEMU. And it so happens that when calling libdevmapper APIs, one of them opens /dev/mapper/control and saves the FD into a global variable. The FD is kept open until the lib is unlinked or dm_lib_release() is called explicitly. We are doing neither. However, the virDevMapperGetTargets() function is called also from libvirtd (when setting up CGroups) and thus has to be thread safe. Unfortunately, libdevmapper APIs are not thread safe (nor async signal safe) and thus we can't use them. Reimplement what libdevmapper would do using plain C (ioctl()-s, /proc/devices parsing, /dev/mapper dirwalking, and so on). Fixes: a30078cb832646177defd256e77c632905f1e6d0 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1858260 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Libvirt Message Translation
Libvirt translatable messages are maintained using the GNU Gettext tools and file formats, in combination with the Fedora Weblate web service.
https://translate.fedoraproject.org/projects/libvirt/libvirt/
Source repository
The libvirt GIT repository stores the master "libvirt.pot" file, which is to be refreshed at time of feature freeze.
The "po" files stored in GIT have source locations removed in order to cut down on storage size, by eliminating information already present in the "pot" file. All files are stored with strings sorted in alphabetical order rather than source location order, to minimize movement of strings when source locations change.
The "po" files are to be EXCLUSIVELY UPDATED by merge requests sent from the Fedora Weblate service. Other contributors MUST NEVER send changes which touch the "po" file content, as that will create merge conflicts for Weblate. IOW any bug fixes to translations should be made via the Weblate application UI.
After the "pot" file in libvirt GIT, Weblate will automatically run "msgmerge" to update the "po" files itself and send back a merge request with the changes.
Translation updates made in the Weblate Web UI will be committed to its fork of the GIT repo once a day. These commits will be submitted back to the master GIT repo via merge requests. If a merge request from Weblate is already open, commits will be added to this existing merge request. Weblate will take care of rebasing whenever changes happen in Git master. In order to avoid having to do translations merges 30 times a month, merge requests from Weblate will usually be left open until feature freeze arrives. During the freeze period, they will be accepted more promptly to ensure they make it into the new release.