Blame SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch

978831
From b77317482326f31c796e16bda24c1eb344be2d21 Mon Sep 17 00:00:00 2001
978831
Message-Id: <b77317482326f31c796e16bda24c1eb344be2d21@dist-git>
978831
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
978831
Date: Tue, 18 Jun 2019 13:30:01 +0200
978831
Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only
978831
 connections
978831
MIME-Version: 1.0
978831
Content-Type: text/plain; charset=UTF-8
978831
Content-Transfer-Encoding: 8bit
978831
978831
This API can be used to execute arbitrary emulators.
978831
Forbid it on read-only connections.
978831
978831
Fixes: CVE-2019-10167
978831
Signed-off-by: Ján Tomko <jtomko@redhat.com>
978831
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
978831
Signed-off-by: Ján Tomko <jtomko@redhat.com>
978831
Message-Id: <eeefd7cf2afba696bed78582e086bfbd3ed23e00.1560857354.git.jtomko@redhat.com>
978831
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
978831
---
978831
 src/libvirt-domain.c | 1 +
978831
 1 file changed, 1 insertion(+)
978831
978831
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
978831
index 3855dfe0dd..a1c913bd86 100644
978831
--- a/src/libvirt-domain.c
978831
+++ b/src/libvirt-domain.c
978831
@@ -11279,6 +11279,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
978831
     virResetLastError();
978831
 
978831
     virCheckConnectReturn(conn, NULL);
978831
+    virCheckReadOnlyGoto(conn->flags, error);
978831
 
978831
     if (conn->driver->connectGetDomainCapabilities) {
978831
         char *ret;
978831
-- 
978831
2.22.0
978831