From 978831e31ca6c027fa5a7405e96e5d1a0da873a5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 20 2019 13:36:05 +0000 Subject: import libvirt-4.5.0-23.3.module+el8.0.0.z+3418+a72cf898 --- diff --git a/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch new file mode 100644 index 0000000..0f182be --- /dev/null +++ b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch @@ -0,0 +1,46 @@ +From 80850486e791a69a4cd58851617f321b84f7c178 Mon Sep 17 00:00:00 2001 +Message-Id: <80850486e791a69a4cd58851617f321b84f7c178@dist-git> +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Tue, 18 Jun 2019 13:30:02 +0200 +Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These APIs can be used to execute arbitrary emulators. +Forbid them on read-only connections. + +Fixes: CVE-2019-10168 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Ján Tomko +Message-Id: <470651092e7d6a4ba5875cf8885fd3714d5ea189.1560857354.git.jtomko@redhat.com> +Reviewed-by: Jiri Denemark +--- + src/libvirt-host.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libvirt-host.c b/src/libvirt-host.c +index e20d6ee250..2978825d22 100644 +--- a/src/libvirt-host.c ++++ b/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; +-- +2.22.0 + diff --git a/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch new file mode 100644 index 0000000..b04e5f4 --- /dev/null +++ b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch @@ -0,0 +1,38 @@ +From b77317482326f31c796e16bda24c1eb344be2d21 Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Tue, 18 Jun 2019 13:30:01 +0200 +Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Ján Tomko +Message-Id: +Reviewed-by: Jiri Denemark +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 3855dfe0dd..a1c913bd86 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11279,6 +11279,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; +-- +2.22.0 + diff --git a/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch new file mode 100644 index 0000000..461c8f6 --- /dev/null +++ b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch @@ -0,0 +1,40 @@ +From 2f8042cc71d65391e702c48f4e5e9dd38811cf4a Mon Sep 17 00:00:00 2001 +Message-Id: <2f8042cc71d65391e702c48f4e5e9dd38811cf4a@dist-git> +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Tue, 18 Jun 2019 13:30:00 +0200 +Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Ján Tomko +Message-Id: <352bf5e963a6482d426f97b0ef36ca019e69280b.1560857354.git.jtomko@redhat.com> +Reviewed-by: Jiri Denemark +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 0ba85b9360..3855dfe0dd 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -9487,6 +9487,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; +-- +2.22.0 + diff --git a/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch new file mode 100644 index 0000000..f0ee792 --- /dev/null +++ b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch @@ -0,0 +1,98 @@ +From d5b7ada5278e175d3174a6bcdc4338684ae4376e Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Tue, 18 Jun 2019 13:29:59 +0200 +Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Ján Tomko + +Conflicts: + src/libvirt-domain.c + src/remote/remote_protocol.x + +Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE +alias for VIR_DOMAIN_XML_SECURE is not backported. +Just skip the commit since we now disallow the whole API on read-only +connections, regardless of the flag. +Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com> + +Reviewed-by: Jiri Denemark +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index ad0ded9ee3..0ba85b9360 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only +- * connections. For this API, @flags should not contain either +- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. ++ * VIR_DOMAIN_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 88c08f88ee..2da87992fd 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6786,7 +6786,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 28c8febabd..52b92334fa 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -5226,8 +5226,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + +-- +2.22.0 + diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec index 59688f9..c4275ec 100644 --- a/SPECS/libvirt.spec +++ b/SPECS/libvirt.spec @@ -243,7 +243,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 4.5.0 -Release: 23.2%{?dist}%{?extra_release} +Release: 23.3%{?dist}%{?extra_release} License: LGPLv2+ URL: https://libvirt.org/ @@ -455,6 +455,10 @@ Patch199: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch Patch200: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch Patch201: libvirt-locking-restrict-sockets-to-mode-0600.patch Patch202: libvirt-logging-restrict-sockets-to-mode-0600.patch +Patch203: libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch +Patch204: libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch +Patch205: libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch +Patch206: libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2366,6 +2370,12 @@ exit 0 %changelog +* Tue Jun 18 2019 Jiri Denemark - 4.5.0-23.3.el8 +- api: disallow virDomainSaveImageGetXMLDesc on read-only connections (CVE-2019-10161) +- api: disallow virDomainManagedSaveDefineXML on read-only connections (CVE-2019-10166) +- api: disallow virConnectGetDomainCapabilities on read-only connections (CVE-2019-10167) +- api: disallow virConnect*HypervisorCPU on read-only connections (CVE-2019-10168) + * Thu May 16 2019 Jiri Denemark - 4.5.0-23.2.el8 - admin: reject clients unless their UID matches the current UID (CVE-2019-10132) - locking: restrict sockets to mode 0600 (CVE-2019-10132)