diff --git a/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
new file mode 100644
index 0000000..fe99250
--- /dev/null
+++ b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
@@ -0,0 +1,61 @@
+From dba153a54183187d16cb983d269516930c555ad8 Mon Sep 17 00:00:00 2001
+Message-Id: <dba153a54183187d16cb983d269516930c555ad8@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:56 +0100
+Subject: [PATCH] admin: reject clients unless their UID matches the current
+ UID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The admin protocol RPC messages are only intended for use by the user
+running the daemon. As such they should not be allowed for any client
+UID that does not match the server UID.
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-2-berrange@redhat.com>
+---
+ src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
+index b78ff902c0..9f25813ae3 100644
+--- a/src/admin/admin_server_dispatch.c
++++ b/src/admin/admin_server_dispatch.c
+@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
+ void *opaque)
+ {
+ struct daemonAdmClientPrivate *priv;
++ uid_t clientuid;
++ gid_t clientgid;
++ pid_t clientpid;
++ unsigned long long timestamp;
++
++ if (virNetServerClientGetUNIXIdentity(client,
++ &clientuid,
++ &clientgid,
++ &clientpid,
++ ×tamp) < 0)
++ return NULL;
++
++ VIR_DEBUG("New client pid %lld uid %lld",
++ (long long)clientpid,
++ (long long)clientuid);
++
++ if (geteuid() != clientuid) {
++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
++ (long long)clientpid,
++ (long long)clientuid);
++ return NULL;
++ }
+
+ if (VIR_ALLOC(priv) < 0)
+ return NULL;
+--
+2.21.0
+
diff --git a/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch
new file mode 100644
index 0000000..fde25c9
--- /dev/null
+++ b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch
@@ -0,0 +1,54 @@
+From 9062f89d17d1ab5d6c5c3efae8c6056149ef0a28 Mon Sep 17 00:00:00 2001
+Message-Id: <9062f89d17d1ab5d6c5c3efae8c6056149ef0a28@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:57 +0100
+Subject: [PATCH] locking: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlockd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-3-berrange@redhat.com>
+---
+ src/locking/virtlockd-admin.socket.in | 1 +
+ src/locking/virtlockd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
+index 2a7500f3d0..f674c492f7 100644
+--- a/src/locking/virtlockd-admin.socket.in
++++ b/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
+index 45e0f20235..d701b27516 100644
+--- a/src/locking/virtlockd.socket.in
++++ b/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.21.0
+
diff --git a/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch
new file mode 100644
index 0000000..a080a11
--- /dev/null
+++ b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch
@@ -0,0 +1,54 @@
+From b87dc9bc856cd8b9d6dbf61ff7b1aa61653748fb Mon Sep 17 00:00:00 2001
+Message-Id: <b87dc9bc856cd8b9d6dbf61ff7b1aa61653748fb@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:58 +0100
+Subject: [PATCH] logging: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlogd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-4-berrange@redhat.com>
+---
+ src/logging/virtlogd-admin.socket.in | 1 +
+ src/logging/virtlogd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
+index 595e6c4c4b..5c41dfeb7b 100644
+--- a/src/logging/virtlogd-admin.socket.in
++++ b/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
+index 22b9360c8d..ae48cdab9a 100644
+--- a/src/logging/virtlogd.socket.in
++++ b/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.21.0
+
diff --git a/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch b/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch
new file mode 100644
index 0000000..852c710
--- /dev/null
+++ b/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch
@@ -0,0 +1,132 @@
+From 48289dddc0f4398036071c132f96644e3c3e03c4 Mon Sep 17 00:00:00 2001
+Message-Id: <48289dddc0f4398036071c132f96644e3c3e03c4@dist-git>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 23 Apr 2019 10:06:17 +0200
+Subject: [PATCH] virnwfilterbindingobj: Introduce and use
+ virNWFilterBindingObjStealDef
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RHEL-7.7: https://bugzilla.redhat.com/show_bug.cgi?id=1686927
+RHEL-7.6.z: https://bugzilla.redhat.com/show_bug.cgi?id=1702173
+
+When trying to create a nwfilter binding via
+nwfilterBindingCreateXML() we may encounter a crash. The sequence
+of functions called is as follows:
+
+1) nwfilterBindingCreateXML() parses the XML and calls
+virNWFilterBindingObjListAdd() which calls
+virNWFilterBindingObjListAddLocked()
+
+2) Here, @binding is not found because binding->remove is set.
+
+3) Therefore, controls continue with creating new @binding,
+setting its def to the one from 1) and adding it to the hash
+table.
+
+4) This fails, because the binding is still in the hash table
+(duplicate key is detected).
+
+5) The control jumps to 'error' label where
+virNWFilterBindingObjEndAPI() is called which frees the binding
+definition passed.
+
+6) Error is propagated to the caller, which calls
+virNWFilterBindingDefFree() over the definition again.
+
+The solution is to unset binding->def in case of failure so it's
+not freed in step 5).
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 8c08a99745ddac9f4055c008e82e68a27ed5093d)
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Message-Id: <a5c2feed107e958bb6a84f7e993cc9feac58c4a2.1556006751.git.mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/conf/virnwfilterbindingobj.c | 10 ++++++++++
+ src/conf/virnwfilterbindingobj.h | 3 +++
+ src/conf/virnwfilterbindingobjlist.c | 4 ++++
+ src/libvirt_private.syms | 1 +
+ 4 files changed, 18 insertions(+)
+
+diff --git a/src/conf/virnwfilterbindingobj.c b/src/conf/virnwfilterbindingobj.c
+index d145fe3223..291ba9a5f8 100644
+--- a/src/conf/virnwfilterbindingobj.c
++++ b/src/conf/virnwfilterbindingobj.c
+@@ -88,6 +88,16 @@ virNWFilterBindingObjSetDef(virNWFilterBindingObjPtr obj,
+ }
+
+
++virNWFilterBindingDefPtr
++virNWFilterBindingObjStealDef(virNWFilterBindingObjPtr obj)
++{
++ virNWFilterBindingDefPtr def;
++
++ VIR_STEAL_PTR(def, obj->def);
++ return def;
++}
++
++
+ bool
+ virNWFilterBindingObjGetRemoving(virNWFilterBindingObjPtr obj)
+ {
+diff --git a/src/conf/virnwfilterbindingobj.h b/src/conf/virnwfilterbindingobj.h
+index 21ae85b064..e8f94aa1ef 100644
+--- a/src/conf/virnwfilterbindingobj.h
++++ b/src/conf/virnwfilterbindingobj.h
+@@ -38,6 +38,9 @@ void
+ virNWFilterBindingObjSetDef(virNWFilterBindingObjPtr obj,
+ virNWFilterBindingDefPtr def);
+
++virNWFilterBindingDefPtr
++virNWFilterBindingObjStealDef(virNWFilterBindingObjPtr obj);
++
+ bool
+ virNWFilterBindingObjGetRemoving(virNWFilterBindingObjPtr obj);
+
+diff --git a/src/conf/virnwfilterbindingobjlist.c b/src/conf/virnwfilterbindingobjlist.c
+index 7ce59f7c6e..d0301e7e28 100644
+--- a/src/conf/virnwfilterbindingobjlist.c
++++ b/src/conf/virnwfilterbindingobjlist.c
+@@ -169,6 +169,7 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings,
+ virNWFilterBindingDefPtr def)
+ {
+ virNWFilterBindingObjPtr binding;
++ bool stealDef = false;
+
+ /* See if a binding with matching portdev already exists */
+ if ((binding = virNWFilterBindingObjListFindByPortDevLocked(
+@@ -183,6 +184,7 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings,
+ goto error;
+
+ virNWFilterBindingObjSetDef(binding, def);
++ stealDef = true;
+
+ if (virNWFilterBindingObjListAddObjLocked(bindings, binding) < 0)
+ goto error;
+@@ -190,6 +192,8 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings,
+ return binding;
+
+ error:
++ if (stealDef)
++ virNWFilterBindingObjStealDef(binding);
+ virNWFilterBindingObjEndAPI(&binding);
+ return NULL;
+ }
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 636891eabd..3325b90535 100644
+--- a/src/libvirt_private.syms
++++ b/src/libvirt_private.syms
+@@ -1065,6 +1065,7 @@ virNWFilterBindingObjParseFile;
+ virNWFilterBindingObjSave;
+ virNWFilterBindingObjSetDef;
+ virNWFilterBindingObjSetRemoving;
++virNWFilterBindingObjStealDef;
+
+
+ # conf/virnwfilterbindingobjlist.h
+--
+2.21.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index a456370..70ed4ef 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -253,7 +253,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 4.5.0
-Release: 10%{?dist}.9%{?extra_release}
+Release: 10%{?dist}.10%{?extra_release}
License: LGPLv2+
URL: https://libvirt.org/
@@ -415,6 +415,10 @@ Patch149: libvirt-cpu_x86-Do-not-cache-microcode-version.patch
Patch150: libvirt-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch
Patch151: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch
Patch152: libvirt-qemu-Don-t-cache-microcode-version.patch
+Patch153: libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch
+Patch154: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
+Patch155: libvirt-locking-restrict-sockets-to-mode-0600.patch
+Patch156: libvirt-logging-restrict-sockets-to-mode-0600.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2316,6 +2320,12 @@ exit 0
%changelog
+* Thu May 16 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-10.el7_6.10
+- virnwfilterbindingobj: Introduce and use virNWFilterBindingObjStealDef (rhbz#1702173)
+- admin: reject clients unless their UID matches the current UID (CVE-2019-10132)
+- locking: restrict sockets to mode 0600 (CVE-2019-10132)
+- logging: restrict sockets to mode 0600 (CVE-2019-10132)
+
* Tue Apr 16 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-10.el7_6.9
- qemu: Don't cache microcode version (CVE-2018-12127, CVE-2018-12126, CVE-2018-12130)