diff options
| author | Armin Kuster <akuster@mvista.com> | 2019-09-05 19:52:20 -0700 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2019-09-09 13:26:51 -0400 |
| commit | 10ef706f61c4219712ff6b118446fee3ef359c1a (patch) | |
| tree | a26452a4d2b2149f6734879a73eb7a2f66dc5492 | |
| parent | 2c6f451aa2b954c0cab2052d4f4635618050f648 (diff) | |
| download | meta-virtualization-10ef706f61c4219712ff6b118446fee3ef359c1a.tar.gz | |
libvirt: Five security fixes
Affects <= 4.9.0
This affectively moves sources to tip
Fixes the following cves.
CVE-2019-10132
CVE-2019-10161
CVE-2019-10166
CVE-2019-10167
CVE-2019-10168
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
8 files changed, 414 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch new file mode 100644 index 00000000..1f958fa1 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From b0f788c2d3d9930015258a7df95dde80a498e657 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
| 3 | Date: Tue, 30 Apr 2019 17:26:13 +0100 | ||
| 4 | Subject: [PATCH 1/7] admin: reject clients unless their UID matches the | ||
| 5 | current UID | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | The admin protocol RPC messages are only intended for use by the user | ||
| 11 | running the daemon. As such they should not be allowed for any client | ||
| 12 | UID that does not match the server UID. | ||
| 13 | |||
| 14 | Fixes CVE-2019-10132 | ||
| 15 | |||
| 16 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||
| 17 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 18 | (cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) | ||
| 19 | |||
| 20 | Upstream-Status: Backport | ||
| 21 | CVE: CVE-2019-10132 patch #1 | ||
| 22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 23 | |||
| 24 | --- | ||
| 25 | src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ | ||
| 26 | 1 file changed, 22 insertions(+) | ||
| 27 | |||
| 28 | diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c | ||
| 29 | index b78ff90..9f25813 100644 | ||
| 30 | --- a/src/admin/admin_server_dispatch.c | ||
| 31 | +++ b/src/admin/admin_server_dispatch.c | ||
| 32 | @@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, | ||
| 33 | void *opaque) | ||
| 34 | { | ||
| 35 | struct daemonAdmClientPrivate *priv; | ||
| 36 | + uid_t clientuid; | ||
| 37 | + gid_t clientgid; | ||
| 38 | + pid_t clientpid; | ||
| 39 | + unsigned long long timestamp; | ||
| 40 | + | ||
| 41 | + if (virNetServerClientGetUNIXIdentity(client, | ||
| 42 | + &clientuid, | ||
| 43 | + &clientgid, | ||
| 44 | + &clientpid, | ||
| 45 | + ×tamp) < 0) | ||
| 46 | + return NULL; | ||
| 47 | + | ||
| 48 | + VIR_DEBUG("New client pid %lld uid %lld", | ||
| 49 | + (long long)clientpid, | ||
| 50 | + (long long)clientuid); | ||
| 51 | + | ||
| 52 | + if (geteuid() != clientuid) { | ||
| 53 | + virReportRestrictedError(_("Disallowing client %lld with uid %lld"), | ||
| 54 | + (long long)clientpid, | ||
| 55 | + (long long)clientuid); | ||
| 56 | + return NULL; | ||
| 57 | + } | ||
| 58 | |||
| 59 | if (VIR_ALLOC(priv) < 0) | ||
| 60 | return NULL; | ||
| 61 | -- | ||
| 62 | 2.7.4 | ||
| 63 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch new file mode 100644 index 00000000..2fffe14d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From ea014c9fcf19539c75a7cb6926b14858426746a7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
| 3 | Date: Tue, 30 Apr 2019 16:51:37 +0100 | ||
| 4 | Subject: [PATCH 2/7] locking: restrict sockets to mode 0600 | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | The virtlockd daemon's only intended client is the libvirtd daemon. As | ||
| 10 | such it should never allow clients from other user accounts to connect. | ||
| 11 | The code already enforces this and drops clients from other UIDs, but | ||
| 12 | we can get earlier (and thus stronger) protection against DoS by setting | ||
| 13 | the socket permissions to 0600 | ||
| 14 | |||
| 15 | Fixes CVE-2019-10132 | ||
| 16 | |||
| 17 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||
| 18 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 19 | (cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1) | ||
| 20 | |||
| 21 | Upstream-Status: Backport | ||
| 22 | CVE: CVE-2019-10132 patch #2 | ||
| 23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 24 | --- | ||
| 25 | src/locking/virtlockd-admin.socket.in | 1 + | ||
| 26 | src/locking/virtlockd.socket.in | 1 + | ||
| 27 | 2 files changed, 2 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in | ||
| 30 | index 2a7500f..f674c49 100644 | ||
| 31 | --- a/src/locking/virtlockd-admin.socket.in | ||
| 32 | +++ b/src/locking/virtlockd-admin.socket.in | ||
| 33 | @@ -5,6 +5,7 @@ Before=libvirtd.service | ||
| 34 | [Socket] | ||
| 35 | ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock | ||
| 36 | Service=virtlockd.service | ||
| 37 | +SocketMode=0600 | ||
| 38 | |||
| 39 | [Install] | ||
| 40 | WantedBy=sockets.target | ||
| 41 | diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in | ||
| 42 | index 45e0f20..d701b27 100644 | ||
| 43 | --- a/src/locking/virtlockd.socket.in | ||
| 44 | +++ b/src/locking/virtlockd.socket.in | ||
| 45 | @@ -4,6 +4,7 @@ Before=libvirtd.service | ||
| 46 | |||
| 47 | [Socket] | ||
| 48 | ListenStream=@localstatedir@/run/libvirt/virtlockd-sock | ||
| 49 | +SocketMode=0600 | ||
| 50 | |||
| 51 | [Install] | ||
| 52 | WantedBy=sockets.target | ||
| 53 | -- | ||
| 54 | 2.7.4 | ||
| 55 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch new file mode 100644 index 00000000..0cb00053 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From a474f18dceed61d562508980999e5f2d7445d683 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
| 3 | Date: Tue, 30 Apr 2019 17:27:41 +0100 | ||
| 4 | Subject: [PATCH 3/7] logging: restrict sockets to mode 0600 | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | The virtlogd daemon's only intended client is the libvirtd daemon. As | ||
| 10 | such it should never allow clients from other user accounts to connect. | ||
| 11 | The code already enforces this and drops clients from other UIDs, but | ||
| 12 | we can get earlier (and thus stronger) protection against DoS by setting | ||
| 13 | the socket permissions to 0600 | ||
| 14 | |||
| 15 | Fixes CVE-2019-10132 | ||
| 16 | |||
| 17 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | ||
| 18 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 19 | (cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) | ||
| 20 | |||
| 21 | Upstream-Status: Backport | ||
| 22 | CVE: CVE-2019-10132 patch #3 | ||
| 23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 24 | --- | ||
| 25 | src/logging/virtlogd-admin.socket.in | 1 + | ||
| 26 | src/logging/virtlogd.socket.in | 1 + | ||
| 27 | 2 files changed, 2 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in | ||
| 30 | index 595e6c4..5c41dfe 100644 | ||
| 31 | --- a/src/logging/virtlogd-admin.socket.in | ||
| 32 | +++ b/src/logging/virtlogd-admin.socket.in | ||
| 33 | @@ -5,6 +5,7 @@ Before=libvirtd.service | ||
| 34 | [Socket] | ||
| 35 | ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock | ||
| 36 | Service=virtlogd.service | ||
| 37 | +SocketMode=0600 | ||
| 38 | |||
| 39 | [Install] | ||
| 40 | WantedBy=sockets.target | ||
| 41 | diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in | ||
| 42 | index 22b9360..ae48cda 100644 | ||
| 43 | --- a/src/logging/virtlogd.socket.in | ||
| 44 | +++ b/src/logging/virtlogd.socket.in | ||
| 45 | @@ -4,6 +4,7 @@ Before=libvirtd.service | ||
| 46 | |||
| 47 | [Socket] | ||
| 48 | ListenStream=@localstatedir@/run/libvirt/virtlogd-sock | ||
| 49 | +SocketMode=0600 | ||
| 50 | |||
| 51 | [Install] | ||
| 52 | WantedBy=sockets.target | ||
| 53 | -- | ||
| 54 | 2.7.4 | ||
| 55 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch new file mode 100644 index 00000000..72e69a81 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch | |||
| @@ -0,0 +1,101 @@ | |||
| 1 | From 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> | ||
| 3 | Date: Fri, 14 Jun 2019 08:47:42 +0200 | ||
| 4 | Subject: [PATCH 4/7] api: disallow virDomainSaveImageGetXMLDesc on read-only | ||
| 5 | connections | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | The virDomainSaveImageGetXMLDesc API is taking a path parameter, | ||
| 11 | which can point to any path on the system. This file will then be | ||
| 12 | read and parsed by libvirtd running with root privileges. | ||
| 13 | |||
| 14 | Forbid it on read-only connections. | ||
| 15 | |||
| 16 | Fixes: CVE-2019-10161 | ||
| 17 | Reported-by: Matthias Gerstner <mgerstner@suse.de> | ||
| 18 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 19 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 20 | (cherry picked from commit aed6a032cead4386472afb24b16196579e239580) | ||
| 21 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 22 | |||
| 23 | Conflicts: | ||
| 24 | src/libvirt-domain.c | ||
| 25 | src/remote/remote_protocol.x | ||
| 26 | |||
| 27 | Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE | ||
| 28 | alias for VIR_DOMAIN_XML_SECURE is not backported. | ||
| 29 | Just skip the commit since we now disallow the whole API on read-only | ||
| 30 | connections, regardless of the flag. | ||
| 31 | |||
| 32 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 33 | |||
| 34 | Upstream-Status: Backport | ||
| 35 | CVE: CVE-2019-19161 | ||
| 36 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 37 | --- | ||
| 38 | src/libvirt-domain.c | 11 ++--------- | ||
| 39 | src/qemu/qemu_driver.c | 2 +- | ||
| 40 | src/remote/remote_protocol.x | 3 +-- | ||
| 41 | 3 files changed, 4 insertions(+), 12 deletions(-) | ||
| 42 | |||
| 43 | diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c | ||
| 44 | index 7690339..c188239 100644 | ||
| 45 | --- a/src/libvirt-domain.c | ||
| 46 | +++ b/src/libvirt-domain.c | ||
| 47 | @@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, | ||
| 48 | * previously by virDomainSave() or virDomainSaveFlags(). | ||
| 49 | * | ||
| 50 | * No security-sensitive data will be included unless @flags contains | ||
| 51 | - * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only | ||
| 52 | - * connections. For this API, @flags should not contain either | ||
| 53 | - * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. | ||
| 54 | + * VIR_DOMAIN_XML_SECURE. | ||
| 55 | * | ||
| 56 | * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of | ||
| 57 | * error. The caller must free() the returned value. | ||
| 58 | @@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, | ||
| 59 | |||
| 60 | virCheckConnectReturn(conn, NULL); | ||
| 61 | virCheckNonNullArgGoto(file, error); | ||
| 62 | - | ||
| 63 | - if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { | ||
| 64 | - virReportError(VIR_ERR_OPERATION_DENIED, "%s", | ||
| 65 | - _("virDomainSaveImageGetXMLDesc with secure flag")); | ||
| 66 | - goto error; | ||
| 67 | - } | ||
| 68 | + virCheckReadOnlyGoto(conn->flags, error); | ||
| 69 | |||
| 70 | if (conn->driver->domainSaveImageGetXMLDesc) { | ||
| 71 | char *ret; | ||
| 72 | diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c | ||
| 73 | index a52e249..f7656e5 100644 | ||
| 74 | --- a/src/qemu/qemu_driver.c | ||
| 75 | +++ b/src/qemu/qemu_driver.c | ||
| 76 | @@ -6798,7 +6798,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, | ||
| 77 | if (fd < 0) | ||
| 78 | goto cleanup; | ||
| 79 | |||
| 80 | - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) | ||
| 81 | + if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) | ||
| 82 | goto cleanup; | ||
| 83 | |||
| 84 | ret = qemuDomainDefFormatXML(driver, def, flags); | ||
| 85 | diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x | ||
| 86 | index 28c8feb..52b9233 100644 | ||
| 87 | --- a/src/remote/remote_protocol.x | ||
| 88 | +++ b/src/remote/remote_protocol.x | ||
| 89 | @@ -5226,8 +5226,7 @@ enum remote_procedure { | ||
| 90 | /** | ||
| 91 | * @generate: both | ||
| 92 | * @priority: high | ||
| 93 | - * @acl: domain:read | ||
| 94 | - * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE | ||
| 95 | + * @acl: domain:write | ||
| 96 | */ | ||
| 97 | REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, | ||
| 98 | |||
| 99 | -- | ||
| 100 | 2.7.4 | ||
| 101 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch new file mode 100644 index 00000000..6305ffd5 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> | ||
| 3 | Date: Fri, 14 Jun 2019 09:14:53 +0200 | ||
| 4 | Subject: [PATCH 5/7] api: disallow virDomainManagedSaveDefineXML on read-only | ||
| 5 | connections | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | The virDomainManagedSaveDefineXML can be used to alter the domain's | ||
| 11 | config used for managedsave or even execute arbitrary emulator binaries. | ||
| 12 | Forbid it on read-only connections. | ||
| 13 | |||
| 14 | Fixes: CVE-2019-10166 | ||
| 15 | Reported-by: Matthias Gerstner <mgerstner@suse.de> | ||
| 16 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 17 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 18 | (cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) | ||
| 19 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 20 | |||
| 21 | Upstream-Status: Backport | ||
| 22 | CVE: CVE-2019-19166 | ||
| 23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 24 | |||
| 25 | --- | ||
| 26 | src/libvirt-domain.c | 1 + | ||
| 27 | 1 file changed, 1 insertion(+) | ||
| 28 | |||
| 29 | diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c | ||
| 30 | index c188239..d8b64c0 100644 | ||
| 31 | --- a/src/libvirt-domain.c | ||
| 32 | +++ b/src/libvirt-domain.c | ||
| 33 | @@ -9490,6 +9490,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, | ||
| 34 | |||
| 35 | virCheckDomainReturn(domain, -1); | ||
| 36 | conn = domain->conn; | ||
| 37 | + virCheckReadOnlyGoto(conn->flags, error); | ||
| 38 | |||
| 39 | if (conn->driver->domainManagedSaveDefineXML) { | ||
| 40 | int ret; | ||
| 41 | -- | ||
| 42 | 2.7.4 | ||
| 43 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch new file mode 100644 index 00000000..abca309f --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 6452b9fdff7988024a6157ca0a973ac3abf54468 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> | ||
| 3 | Date: Fri, 14 Jun 2019 09:16:14 +0200 | ||
| 4 | Subject: [PATCH 6/7] api: disallow virConnectGetDomainCapabilities on | ||
| 5 | read-only connections | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | This API can be used to execute arbitrary emulators. | ||
| 11 | Forbid it on read-only connections. | ||
| 12 | |||
| 13 | Fixes: CVE-2019-10167 | ||
| 14 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 15 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 16 | (cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) | ||
| 17 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | CVE: CVE-2019-19167 | ||
| 21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 22 | |||
| 23 | --- | ||
| 24 | src/libvirt-domain.c | 1 + | ||
| 25 | 1 file changed, 1 insertion(+) | ||
| 26 | |||
| 27 | diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c | ||
| 28 | index d8b64c0..1e1c4e3 100644 | ||
| 29 | --- a/src/libvirt-domain.c | ||
| 30 | +++ b/src/libvirt-domain.c | ||
| 31 | @@ -11282,6 +11282,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, | ||
| 32 | virResetLastError(); | ||
| 33 | |||
| 34 | virCheckConnectReturn(conn, NULL); | ||
| 35 | + virCheckReadOnlyGoto(conn->flags, error); | ||
| 36 | |||
| 37 | if (conn->driver->connectGetDomainCapabilities) { | ||
| 38 | char *ret; | ||
| 39 | -- | ||
| 40 | 2.7.4 | ||
| 41 | |||
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch new file mode 100644 index 00000000..2211238a --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> | ||
| 3 | Date: Fri, 14 Jun 2019 09:17:39 +0200 | ||
| 4 | Subject: [PATCH 7/7] api: disallow virConnect*HypervisorCPU on read-only | ||
| 5 | connections | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | These APIs can be used to execute arbitrary emulators. | ||
| 11 | Forbid them on read-only connections. | ||
| 12 | |||
| 13 | Fixes: CVE-2019-10168 | ||
| 14 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 15 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
| 16 | (cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) | ||
| 17 | Signed-off-by: Ján Tomko <jtomko@redhat.com> | ||
| 18 | |||
| 19 | Upstream-Status: Backport | ||
| 20 | CVE: CVE-2019-19168 | ||
| 21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 22 | |||
| 23 | --- | ||
| 24 | src/libvirt-host.c | 2 ++ | ||
| 25 | 1 file changed, 2 insertions(+) | ||
| 26 | |||
| 27 | diff --git a/src/libvirt-host.c b/src/libvirt-host.c | ||
| 28 | index e20d6ee..2978825 100644 | ||
| 29 | --- a/src/libvirt-host.c | ||
| 30 | +++ b/src/libvirt-host.c | ||
| 31 | @@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, | ||
| 32 | |||
| 33 | virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); | ||
| 34 | virCheckNonNullArgGoto(xmlCPU, error); | ||
| 35 | + virCheckReadOnlyGoto(conn->flags, error); | ||
| 36 | |||
| 37 | if (conn->driver->connectCompareHypervisorCPU) { | ||
| 38 | int ret; | ||
| 39 | @@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, | ||
| 40 | |||
| 41 | virCheckConnectReturn(conn, NULL); | ||
| 42 | virCheckNonNullArgGoto(xmlCPUs, error); | ||
| 43 | + virCheckReadOnlyGoto(conn->flags, error); | ||
| 44 | |||
| 45 | if (conn->driver->connectBaselineHypervisorCPU) { | ||
| 46 | char *cpu; | ||
| 47 | -- | ||
| 48 | 2.7.4 | ||
| 49 | |||
diff --git a/recipes-extended/libvirt/libvirt_4.9.0.bb b/recipes-extended/libvirt/libvirt_4.9.0.bb index 813d95ec..db5a4f93 100644 --- a/recipes-extended/libvirt/libvirt_4.9.0.bb +++ b/recipes-extended/libvirt/libvirt_4.9.0.bb | |||
| @@ -36,6 +36,13 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ | |||
| 36 | file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \ | 36 | file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \ |
| 37 | file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \ | 37 | file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \ |
| 38 | file://hook_support.py \ | 38 | file://hook_support.py \ |
| 39 | file://CVE-2019-10132_p1.patch \ | ||
| 40 | file://CVE-2019-10132_p2.patch \ | ||
| 41 | file://CVE-2019-10132_p3.patch \ | ||
| 42 | file://CVE-2019-10161.patch \ | ||
| 43 | file://CVE-2019-10166.patch \ | ||
| 44 | file://CVE-2019-10167.patch \ | ||
| 45 | file://CVE-2019-10168.patch \ | ||
| 39 | " | 46 | " |
| 40 | 47 | ||
| 41 | SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9" | 48 | SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9" |
