summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2019-09-05 19:52:20 -0700
committerBruce Ashfield <bruce.ashfield@gmail.com>2019-09-09 13:26:51 -0400
commit10ef706f61c4219712ff6b118446fee3ef359c1a (patch)
treea26452a4d2b2149f6734879a73eb7a2f66dc5492
parent2c6f451aa2b954c0cab2052d4f4635618050f648 (diff)
downloadmeta-virtualization-10ef706f61c4219712ff6b118446fee3ef359c1a.tar.gz
libvirt: Five security fixes
Affects <= 4.9.0 This affectively moves sources to tip Fixes the following cves. CVE-2019-10132 CVE-2019-10161 CVE-2019-10166 CVE-2019-10167 CVE-2019-10168 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch63
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch55
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch55
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10161.patch101
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10166.patch43
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10167.patch41
-rw-r--r--recipes-extended/libvirt/libvirt/CVE-2019-10168.patch49
-rw-r--r--recipes-extended/libvirt/libvirt_4.9.0.bb7
8 files changed, 414 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
new file mode 100644
index 00000000..1f958fa1
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
@@ -0,0 +1,63 @@
1From b0f788c2d3d9930015258a7df95dde80a498e657 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
3Date: Tue, 30 Apr 2019 17:26:13 +0100
4Subject: [PATCH 1/7] admin: reject clients unless their UID matches the
5 current UID
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The admin protocol RPC messages are only intended for use by the user
11running the daemon. As such they should not be allowed for any client
12UID that does not match the server UID.
13
14Fixes CVE-2019-10132
15
16Reviewed-by: Ján Tomko <jtomko@redhat.com>
17Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
18(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
19
20Upstream-Status: Backport
21CVE: CVE-2019-10132 patch #1
22Signed-off-by: Armin Kuster <akuster@mvista.com>
23
24---
25 src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
26 1 file changed, 22 insertions(+)
27
28diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
29index b78ff90..9f25813 100644
30--- a/src/admin/admin_server_dispatch.c
31+++ b/src/admin/admin_server_dispatch.c
32@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
33 void *opaque)
34 {
35 struct daemonAdmClientPrivate *priv;
36+ uid_t clientuid;
37+ gid_t clientgid;
38+ pid_t clientpid;
39+ unsigned long long timestamp;
40+
41+ if (virNetServerClientGetUNIXIdentity(client,
42+ &clientuid,
43+ &clientgid,
44+ &clientpid,
45+ &timestamp) < 0)
46+ return NULL;
47+
48+ VIR_DEBUG("New client pid %lld uid %lld",
49+ (long long)clientpid,
50+ (long long)clientuid);
51+
52+ if (geteuid() != clientuid) {
53+ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
54+ (long long)clientpid,
55+ (long long)clientuid);
56+ return NULL;
57+ }
58
59 if (VIR_ALLOC(priv) < 0)
60 return NULL;
61--
622.7.4
63
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
new file mode 100644
index 00000000..2fffe14d
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
@@ -0,0 +1,55 @@
1From ea014c9fcf19539c75a7cb6926b14858426746a7 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
3Date: Tue, 30 Apr 2019 16:51:37 +0100
4Subject: [PATCH 2/7] locking: restrict sockets to mode 0600
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The virtlockd daemon's only intended client is the libvirtd daemon. As
10such it should never allow clients from other user accounts to connect.
11The code already enforces this and drops clients from other UIDs, but
12we can get earlier (and thus stronger) protection against DoS by setting
13the socket permissions to 0600
14
15Fixes CVE-2019-10132
16
17Reviewed-by: Ján Tomko <jtomko@redhat.com>
18Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
19(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
20
21Upstream-Status: Backport
22CVE: CVE-2019-10132 patch #2
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24---
25 src/locking/virtlockd-admin.socket.in | 1 +
26 src/locking/virtlockd.socket.in | 1 +
27 2 files changed, 2 insertions(+)
28
29diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
30index 2a7500f..f674c49 100644
31--- a/src/locking/virtlockd-admin.socket.in
32+++ b/src/locking/virtlockd-admin.socket.in
33@@ -5,6 +5,7 @@ Before=libvirtd.service
34 [Socket]
35 ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
36 Service=virtlockd.service
37+SocketMode=0600
38
39 [Install]
40 WantedBy=sockets.target
41diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
42index 45e0f20..d701b27 100644
43--- a/src/locking/virtlockd.socket.in
44+++ b/src/locking/virtlockd.socket.in
45@@ -4,6 +4,7 @@ Before=libvirtd.service
46
47 [Socket]
48 ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
49+SocketMode=0600
50
51 [Install]
52 WantedBy=sockets.target
53--
542.7.4
55
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
new file mode 100644
index 00000000..0cb00053
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
@@ -0,0 +1,55 @@
1From a474f18dceed61d562508980999e5f2d7445d683 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
3Date: Tue, 30 Apr 2019 17:27:41 +0100
4Subject: [PATCH 3/7] logging: restrict sockets to mode 0600
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The virtlogd daemon's only intended client is the libvirtd daemon. As
10such it should never allow clients from other user accounts to connect.
11The code already enforces this and drops clients from other UIDs, but
12we can get earlier (and thus stronger) protection against DoS by setting
13the socket permissions to 0600
14
15Fixes CVE-2019-10132
16
17Reviewed-by: Ján Tomko <jtomko@redhat.com>
18Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
19(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
20
21Upstream-Status: Backport
22CVE: CVE-2019-10132 patch #3
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24---
25 src/logging/virtlogd-admin.socket.in | 1 +
26 src/logging/virtlogd.socket.in | 1 +
27 2 files changed, 2 insertions(+)
28
29diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
30index 595e6c4..5c41dfe 100644
31--- a/src/logging/virtlogd-admin.socket.in
32+++ b/src/logging/virtlogd-admin.socket.in
33@@ -5,6 +5,7 @@ Before=libvirtd.service
34 [Socket]
35 ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
36 Service=virtlogd.service
37+SocketMode=0600
38
39 [Install]
40 WantedBy=sockets.target
41diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
42index 22b9360..ae48cda 100644
43--- a/src/logging/virtlogd.socket.in
44+++ b/src/logging/virtlogd.socket.in
45@@ -4,6 +4,7 @@ Before=libvirtd.service
46
47 [Socket]
48 ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
49+SocketMode=0600
50
51 [Install]
52 WantedBy=sockets.target
53--
542.7.4
55
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
new file mode 100644
index 00000000..72e69a81
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
@@ -0,0 +1,101 @@
1From 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
3Date: Fri, 14 Jun 2019 08:47:42 +0200
4Subject: [PATCH 4/7] api: disallow virDomainSaveImageGetXMLDesc on read-only
5 connections
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The virDomainSaveImageGetXMLDesc API is taking a path parameter,
11which can point to any path on the system. This file will then be
12read and parsed by libvirtd running with root privileges.
13
14Forbid it on read-only connections.
15
16Fixes: CVE-2019-10161
17Reported-by: Matthias Gerstner <mgerstner@suse.de>
18Signed-off-by: Ján Tomko <jtomko@redhat.com>
19Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
20(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
21Signed-off-by: Ján Tomko <jtomko@redhat.com>
22
23Conflicts:
24 src/libvirt-domain.c
25 src/remote/remote_protocol.x
26
27Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
28alias for VIR_DOMAIN_XML_SECURE is not backported.
29Just skip the commit since we now disallow the whole API on read-only
30connections, regardless of the flag.
31
32Signed-off-by: Ján Tomko <jtomko@redhat.com>
33
34Upstream-Status: Backport
35CVE: CVE-2019-19161
36Signed-off-by: Armin Kuster <akuster@mvista.com>
37---
38 src/libvirt-domain.c | 11 ++---------
39 src/qemu/qemu_driver.c | 2 +-
40 src/remote/remote_protocol.x | 3 +--
41 3 files changed, 4 insertions(+), 12 deletions(-)
42
43diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
44index 7690339..c188239 100644
45--- a/src/libvirt-domain.c
46+++ b/src/libvirt-domain.c
47@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
48 * previously by virDomainSave() or virDomainSaveFlags().
49 *
50 * No security-sensitive data will be included unless @flags contains
51- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
52- * connections. For this API, @flags should not contain either
53- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
54+ * VIR_DOMAIN_XML_SECURE.
55 *
56 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
57 * error. The caller must free() the returned value.
58@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
59
60 virCheckConnectReturn(conn, NULL);
61 virCheckNonNullArgGoto(file, error);
62-
63- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
64- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
65- _("virDomainSaveImageGetXMLDesc with secure flag"));
66- goto error;
67- }
68+ virCheckReadOnlyGoto(conn->flags, error);
69
70 if (conn->driver->domainSaveImageGetXMLDesc) {
71 char *ret;
72diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
73index a52e249..f7656e5 100644
74--- a/src/qemu/qemu_driver.c
75+++ b/src/qemu/qemu_driver.c
76@@ -6798,7 +6798,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
77 if (fd < 0)
78 goto cleanup;
79
80- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
81+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
82 goto cleanup;
83
84 ret = qemuDomainDefFormatXML(driver, def, flags);
85diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
86index 28c8feb..52b9233 100644
87--- a/src/remote/remote_protocol.x
88+++ b/src/remote/remote_protocol.x
89@@ -5226,8 +5226,7 @@ enum remote_procedure {
90 /**
91 * @generate: both
92 * @priority: high
93- * @acl: domain:read
94- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
95+ * @acl: domain:write
96 */
97 REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
98
99--
1002.7.4
101
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
new file mode 100644
index 00000000..6305ffd5
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
@@ -0,0 +1,43 @@
1From 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
3Date: Fri, 14 Jun 2019 09:14:53 +0200
4Subject: [PATCH 5/7] api: disallow virDomainManagedSaveDefineXML on read-only
5 connections
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The virDomainManagedSaveDefineXML can be used to alter the domain's
11config used for managedsave or even execute arbitrary emulator binaries.
12Forbid it on read-only connections.
13
14Fixes: CVE-2019-10166
15Reported-by: Matthias Gerstner <mgerstner@suse.de>
16Signed-off-by: Ján Tomko <jtomko@redhat.com>
17Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
18(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
19Signed-off-by: Ján Tomko <jtomko@redhat.com>
20
21Upstream-Status: Backport
22CVE: CVE-2019-19166
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24
25---
26 src/libvirt-domain.c | 1 +
27 1 file changed, 1 insertion(+)
28
29diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
30index c188239..d8b64c0 100644
31--- a/src/libvirt-domain.c
32+++ b/src/libvirt-domain.c
33@@ -9490,6 +9490,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
34
35 virCheckDomainReturn(domain, -1);
36 conn = domain->conn;
37+ virCheckReadOnlyGoto(conn->flags, error);
38
39 if (conn->driver->domainManagedSaveDefineXML) {
40 int ret;
41--
422.7.4
43
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
new file mode 100644
index 00000000..abca309f
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
@@ -0,0 +1,41 @@
1From 6452b9fdff7988024a6157ca0a973ac3abf54468 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
3Date: Fri, 14 Jun 2019 09:16:14 +0200
4Subject: [PATCH 6/7] api: disallow virConnectGetDomainCapabilities on
5 read-only connections
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This API can be used to execute arbitrary emulators.
11Forbid it on read-only connections.
12
13Fixes: CVE-2019-10167
14Signed-off-by: Ján Tomko <jtomko@redhat.com>
15Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
16(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
17Signed-off-by: Ján Tomko <jtomko@redhat.com>
18
19Upstream-Status: Backport
20CVE: CVE-2019-19167
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 src/libvirt-domain.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
28index d8b64c0..1e1c4e3 100644
29--- a/src/libvirt-domain.c
30+++ b/src/libvirt-domain.c
31@@ -11282,6 +11282,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
32 virResetLastError();
33
34 virCheckConnectReturn(conn, NULL);
35+ virCheckReadOnlyGoto(conn->flags, error);
36
37 if (conn->driver->connectGetDomainCapabilities) {
38 char *ret;
39--
402.7.4
41
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
new file mode 100644
index 00000000..2211238a
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
@@ -0,0 +1,49 @@
1From dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
3Date: Fri, 14 Jun 2019 09:17:39 +0200
4Subject: [PATCH 7/7] api: disallow virConnect*HypervisorCPU on read-only
5 connections
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10These APIs can be used to execute arbitrary emulators.
11Forbid them on read-only connections.
12
13Fixes: CVE-2019-10168
14Signed-off-by: Ján Tomko <jtomko@redhat.com>
15Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
16(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
17Signed-off-by: Ján Tomko <jtomko@redhat.com>
18
19Upstream-Status: Backport
20CVE: CVE-2019-19168
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 src/libvirt-host.c | 2 ++
25 1 file changed, 2 insertions(+)
26
27diff --git a/src/libvirt-host.c b/src/libvirt-host.c
28index e20d6ee..2978825 100644
29--- a/src/libvirt-host.c
30+++ b/src/libvirt-host.c
31@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
32
33 virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
34 virCheckNonNullArgGoto(xmlCPU, error);
35+ virCheckReadOnlyGoto(conn->flags, error);
36
37 if (conn->driver->connectCompareHypervisorCPU) {
38 int ret;
39@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
40
41 virCheckConnectReturn(conn, NULL);
42 virCheckNonNullArgGoto(xmlCPUs, error);
43+ virCheckReadOnlyGoto(conn->flags, error);
44
45 if (conn->driver->connectBaselineHypervisorCPU) {
46 char *cpu;
47--
482.7.4
49
diff --git a/recipes-extended/libvirt/libvirt_4.9.0.bb b/recipes-extended/libvirt/libvirt_4.9.0.bb
index 813d95ec..db5a4f93 100644
--- a/recipes-extended/libvirt/libvirt_4.9.0.bb
+++ b/recipes-extended/libvirt/libvirt_4.9.0.bb
@@ -36,6 +36,13 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
36 file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \ 36 file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \
37 file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \ 37 file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \
38 file://hook_support.py \ 38 file://hook_support.py \
39 file://CVE-2019-10132_p1.patch \
40 file://CVE-2019-10132_p2.patch \
41 file://CVE-2019-10132_p3.patch \
42 file://CVE-2019-10161.patch \
43 file://CVE-2019-10166.patch \
44 file://CVE-2019-10167.patch \
45 file://CVE-2019-10168.patch \
39 " 46 "
40 47
41SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9" 48SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9"