|
 |
9119d9 |
From de0a027209822ec012e9a22eefdb5ada96a72b36 Mon Sep 17 00:00:00 2001
|
|
|
9119d9 |
Message-Id: <de0a027209822ec012e9a22eefdb5ada96a72b36@dist-git>
|
|
|
44539d |
From: Eric Blake <eblake@redhat.com>
|
|
|
9119d9 |
Date: Thu, 6 Nov 2014 09:42:24 +0100
|
|
|
44539d |
Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag
|
|
|
44539d |
|
|
|
44539d |
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
|
|
|
44539d |
the qemu implementation of virDomainGetXMLDesc, the use of the
|
|
|
44539d |
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
|
|
|
44539d |
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
|
|
|
44539d |
prior to calling qemuDomainFormatXML. However, the use of
|
|
|
44539d |
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
|
|
|
44539d |
clients only. This patch treats the migratable flag as requiring
|
|
|
44539d |
the same permissions, rather than analyzing what might break if
|
|
|
44539d |
migratable xml no longer includes secret information.
|
|
|
44539d |
|
|
|
44539d |
Fortunately, the information leak is low-risk: all that is gated
|
|
|
44539d |
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
|
|
|
44539d |
but VNC passwords are already weak (FIPS forbids their use, and
|
|
|
44539d |
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
|
|
|
44539d |
password sent in plaintext over the network deserves what they
|
|
|
44539d |
get). SPICE offers better security than VNC, and all other
|
|
|
44539d |
secrets are properly protected by use of virSecret associations
|
|
|
44539d |
rather than direct output in domain XML.
|
|
|
44539d |
|
|
|
44539d |
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
|
|
|
44539d |
Tighten rules on use of migratable flag.
|
|
|
44539d |
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
|
|
|
44539d |
|
|
|
44539d |
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
44539d |
(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
|
|
|
44539d |
|
|
|
44539d |
Conflicts:
|
|
|
9119d9 |
src/libvirt-domain.c - file split from older src/libvirt.c
|
|
|
44539d |
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
44539d |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
44539d |
---
|
|
|
44539d |
src/libvirt.c | 3 ++-
|
|
|
44539d |
src/remote/remote_protocol.x | 1 +
|
|
|
44539d |
2 files changed, 3 insertions(+), 1 deletion(-)
|
|
|
44539d |
|
|
|
44539d |
diff --git a/src/libvirt.c b/src/libvirt.c
|
|
|
9119d9 |
index 5c086c8..b593c9b 100644
|
|
|
44539d |
--- a/src/libvirt.c
|
|
|
44539d |
+++ b/src/libvirt.c
|
|
|
9119d9 |
@@ -4369,7 +4369,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
|
|
|
9119d9 |
virCheckDomainReturn(domain, NULL);
|
|
|
44539d |
conn = domain->conn;
|
|
|
44539d |
|
|
|
44539d |
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
|
|
|
44539d |
+ if ((conn->flags & VIR_CONNECT_RO) &&
|
|
|
44539d |
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
|
|
|
9119d9 |
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
|
|
9119d9 |
_("virDomainGetXMLDesc with secure flag"));
|
|
|
44539d |
goto error;
|
|
|
44539d |
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
|
|
|
9119d9 |
index da724d1..ee195c4 100644
|
|
|
44539d |
--- a/src/remote/remote_protocol.x
|
|
|
44539d |
+++ b/src/remote/remote_protocol.x
|
|
|
9119d9 |
@@ -3233,6 +3233,7 @@ enum remote_procedure {
|
|
|
44539d |
* @generate: both
|
|
|
44539d |
* @acl: domain:read
|
|
|
44539d |
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
|
|
|
44539d |
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
|
|
|
44539d |
*/
|
|
|
44539d |
REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
|
|
|
44539d |
|
|
|
44539d |
--
|
|
|
9119d9 |
2.1.3
|
|
|
44539d |
|