From ae5cbaaba2cf9419004cc9972f18c4ad4e555ba8 Mon Sep 17 00:00:00 2001 Message-Id: From: "Daniel P. Berrange" Date: Tue, 22 Oct 2013 17:18:07 +0100 Subject: [PATCH] Fix perms for virConnectDomainXML{To, From}Native CVE-2013-4401 The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: Daniel P. Berrange (cherry picked from commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c) Signed-off-by: Jiri Denemark --- src/libvirt.c | 4 ++++ src/remote/remote_protocol.x | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/libvirt.c b/src/libvirt.c index 66e8248..1a6c771 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virConnectPtr conn, virDispatchError(NULL); return NULL; } + if (conn->flags & VIR_CONNECT_RO) { + virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); + goto error; + } virCheckNonNullArgGoto(nativeFormat, error); virCheckNonNullArgGoto(nativeConfig, error); diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index a8450b1..c7181da 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -3812,13 +3812,13 @@ enum remote_procedure { /** * @generate: both - * @acl: connect:read + * @acl: connect:write */ REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135, /** * @generate: both - * @acl: connect:read + * @acl: connect:write */ REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136, -- 1.8.4