render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
44539d
From aa85786b2868f5d2372d98e5630dd0be32997f18 Mon Sep 17 00:00:00 2001
44539d
Message-Id: <aa85786b2868f5d2372d98e5630dd0be32997f18@dist-git>
44539d
From: Eric Blake <eblake@redhat.com>
44539d
Date: Thu, 6 Nov 2014 09:56:08 +0100
44539d
Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag
44539d
44539d
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
44539d
the qemu implementation of virDomainGetXMLDesc, the use of the
44539d
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
44539d
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
44539d
prior to calling qemuDomainFormatXML.  However, the use of
44539d
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
44539d
clients only.  This patch treats the migratable flag as requiring
44539d
the same permissions, rather than analyzing what might break if
44539d
migratable xml no longer includes secret information.
44539d
44539d
Fortunately, the information leak is low-risk: all that is gated
44539d
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
44539d
but VNC passwords are already weak (FIPS forbids their use, and
44539d
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
44539d
password sent in plaintext over the network deserves what they
44539d
get).  SPICE offers better security than VNC, and all other
44539d
secrets are properly protected by use of virSecret associations
44539d
rather than direct output in domain XML.
44539d
44539d
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
44539d
Tighten rules on use of migratable flag.
44539d
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
44539d
44539d
Signed-off-by: Eric Blake <eblake@redhat.com>
44539d
(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
44539d
44539d
Conflicts:
44539d
	src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError
44539d
Signed-off-by: Eric Blake <eblake@redhat.com>
44539d
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
44539d
---
44539d
 src/libvirt.c                | 3 ++-
44539d
 src/remote/remote_protocol.x | 1 +
44539d
 2 files changed, 3 insertions(+), 1 deletion(-)
44539d
44539d
diff --git a/src/libvirt.c b/src/libvirt.c
44539d
index af94326..cbcc24b 100644
44539d
--- a/src/libvirt.c
44539d
+++ b/src/libvirt.c
44539d
@@ -4576,7 +4576,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
44539d
 
44539d
     conn = domain->conn;
44539d
 
44539d
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
44539d
+    if ((conn->flags & VIR_CONNECT_RO) &&
44539d
+        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
44539d
         virLibConnError(VIR_ERR_OPERATION_DENIED, "%s",
44539d
                         _("virDomainGetXMLDesc with secure flag"));
44539d
         goto error;
44539d
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
44539d
index ab8216e..a1298dd 100644
44539d
--- a/src/remote/remote_protocol.x
44539d
+++ b/src/remote/remote_protocol.x
44539d
@@ -2979,6 +2979,7 @@ enum remote_procedure {
44539d
      * @generate: both
44539d
      * @acl: domain:read
44539d
      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
44539d
+     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
44539d
      */
44539d
     REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
44539d
 
44539d
-- 
44539d
2.2.0
44539d