From a2479f539e521dfe57656ede0d10ae548283664e Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jun 20 2019 16:30:57 +0000 Subject: libvirt-5.4.0-2.fc31 CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114) CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118) --- diff --git a/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch b/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch new file mode 100644 index 0000000..8b99fcc --- /dev/null +++ b/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch @@ -0,0 +1,81 @@ +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 08:47:42 +0200 +Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index df7e405b3e..1cc8537c04 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only +- * connections. ++ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && +- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 42b1ce2521..ea9a3d33a3 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 11f44ee267..737d67c47b 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -5242,8 +5242,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff --git a/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch b/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch new file mode 100644 index 0000000..b952bdd --- /dev/null +++ b/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch @@ -0,0 +1,33 @@ +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:14:53 +0200 +Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 1cc8537c04..f77fc23a3f 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; diff --git a/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch b/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch new file mode 100644 index 0000000..be27e22 --- /dev/null +++ b/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch @@ -0,0 +1,31 @@ +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:16:14 +0200 +Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index f77fc23a3f..c500d6be36 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; diff --git a/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch b/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch new file mode 100644 index 0000000..fb4da99 --- /dev/null +++ b/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch @@ -0,0 +1,39 @@ +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:17:39 +0200 +Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These APIs can be used to execute arbitrary emulators. +Forbid them on read-only connections. + +Fixes: CVE-2019-10168 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) +--- + src/libvirt-host.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libvirt-host.c b/src/libvirt-host.c +index e20d6ee250..2978825d22 100644 +--- a/src/libvirt-host.c ++++ b/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; diff --git a/libvirt.spec b/libvirt.spec index 5819ccb..b934aba 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -216,7 +216,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 5.4.0 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://libvirt.org/ @@ -225,6 +225,20 @@ URL: https://libvirt.org/ %endif Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz +# CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc +# API (bz #1722463, bz #1720115) +Patch0001: 0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch +# CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly +# clients (bz #1722462, bz #1720114) +Patch0002: 0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch +# CVE-2019-10167: arbitrary command execution via +# virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) +Patch0003: 0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch +# CVE-2019-10168: arbitrary command execution via +# virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz +# #1722466, bz #1720118) +Patch0004: 0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch + Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} @@ -1870,6 +1884,17 @@ exit 0 %changelog +* Thu Jun 20 2019 Cole Robinson - 5.4.0-2 +- CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc + API (bz #1722463, bz #1720115) +- CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly + clients (bz #1722462, bz #1720114) +- CVE-2019-10167: arbitrary command execution via + virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) +- CVE-2019-10168: arbitrary command execution via + virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz + #1722466, bz #1720118) + * Wed Jun 12 2019 Daniel P. Berrangé - 5.4.0-1 - Update to 5.4.0 release