diff --git a/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch b/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch
new file mode 100644
index 0000000..6441809
--- /dev/null
+++ b/SOURCES/libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch
@@ -0,0 +1,70 @@
+From aa85786b2868f5d2372d98e5630dd0be32997f18 Mon Sep 17 00:00:00 2001
+Message-Id: <aa85786b2868f5d2372d98e5630dd0be32997f18@dist-git>
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 6 Nov 2014 09:56:08 +0100
+Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag
+
+Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+the qemu implementation of virDomainGetXMLDesc, the use of the
+flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+prior to calling qemuDomainFormatXML. However, the use of
+VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+clients only. This patch treats the migratable flag as requiring
+the same permissions, rather than analyzing what might break if
+migratable xml no longer includes secret information.
+
+Fortunately, the information leak is low-risk: all that is gated
+by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+but VNC passwords are already weak (FIPS forbids their use, and
+on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+password sent in plaintext over the network deserves what they
+get). SPICE offers better security than VNC, and all other
+secrets are properly protected by use of virSecret associations
+rather than direct output in domain XML.
+
+* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+Tighten rules on use of migratable flag.
+* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
+
+Conflicts:
+ src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt.c | 3 ++-
+ src/remote/remote_protocol.x | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index af94326..cbcc24b 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -4576,7 +4576,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+
+ conn = domain->conn;
+
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
++ if ((conn->flags & VIR_CONNECT_RO) &&
++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+ virLibConnError(VIR_ERR_OPERATION_DENIED, "%s",
+ _("virDomainGetXMLDesc with secure flag"));
+ goto error;
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index ab8216e..a1298dd 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -2979,6 +2979,7 @@ enum remote_procedure {
+ * @generate: both
+ * @acl: domain:read
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+ */
+ REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+
+--
+2.2.0
+
diff --git a/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch b/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch
new file mode 100644
index 0000000..9da9c51
--- /dev/null
+++ b/SOURCES/libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch
@@ -0,0 +1,37 @@
+From bc80e46dc56255dec477073bf021a7360ba48ce5 Mon Sep 17 00:00:00 2001
+Message-Id: <bc80e46dc56255dec477073bf021a7360ba48ce5@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Thu, 12 Jun 2014 10:50:43 +0200
+Subject: [PATCH] Fix crash when saving a domain with type none dac label
+
+qemuDomainGetImageIds did not check if there was a label
+in the seclabel, thus crashing on
+<seclabel type='none' model='dac'/>
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1108590
+https://bugzilla.redhat.com/show_bug.cgi?id=1171124
+(cherry picked from commit 7eb0ee175b278a4439cee65a7a554767f0be9cd1)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+
+Conflicts:
+ src/qemu/qemu_domain.c - the call to virParseOwnershipIds is not
+ present in 7.0.z
+---
+ src/qemu/qemu_driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1ce4c39..b0d4f33 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -2777,6 +2777,7 @@ qemuOpenFile(virQEMUDriverPtr driver,
+ /* TODO: Take imagelabel into account? */
+ if (vm &&
+ (seclabel = virDomainDefGetSecurityLabelDef(vm->def, "dac")) != NULL &&
++ seclabel->label != NULL &&
+ (virParseOwnershipIds(seclabel->label, &user, &group) < 0))
+ goto cleanup;
+
+--
+2.2.0
+
diff --git a/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch b/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch
new file mode 100644
index 0000000..5c3f948
--- /dev/null
+++ b/SOURCES/libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch
@@ -0,0 +1,87 @@
+From 8b3fc29cdc829d0808c54cfa0936991a74f06aaf Mon Sep 17 00:00:00 2001
+Message-Id: <8b3fc29cdc829d0808c54cfa0936991a74f06aaf@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 1 Oct 2014 17:41:58 -0600
+Subject: [PATCH] qemu: blockcopy: Don't remove existing disk mirror info
+
+RHEL 7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1149078
+RHEL 7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1113751
+
+When creating a new disk mirror the new struct is stored in a separate
+variable until everything went well. The removed hunk would actually
+remove existing mirror information for example when the api would be run
+if a mirror still exists.
+
+(cherry picked from commit 02b364e186d487f54ed410c01af042f23e812d42)
+
+This fixes a regression introduced in commit ff5f30b.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+Conflicts:
+ src/qemu/qemu_driver.c - no refactoring of commits 7b7bf001, 4f20226
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index ebdbfd7..ea87d50 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15037,6 +15037,7 @@ qemuDomainBlockCopy(virDomainObjPtr vm,
+ struct stat st;
+ bool need_unlink = false;
+ char *mirror = NULL;
++ int mirrorFormat;
+ virQEMUDriverConfigPtr cfg = NULL;
+
+ /* Preliminaries: find the disk we are editing, sanity checks */
+@@ -15124,10 +15125,10 @@ qemuDomainBlockCopy(virDomainObjPtr vm,
+ goto endjob;
+ VIR_FORCE_CLOSE(fd);
+ if (!format)
+- disk->mirrorFormat = disk->format;
++ mirrorFormat = disk->format;
+ } else if (format) {
+- disk->mirrorFormat = virStorageFileFormatTypeFromString(format);
+- if (disk->mirrorFormat <= 0) {
++ mirrorFormat = virStorageFileFormatTypeFromString(format);
++ if (mirrorFormat <= 0) {
+ virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"),
+ format);
+ goto endjob;
+@@ -15137,11 +15138,11 @@ qemuDomainBlockCopy(virDomainObjPtr vm,
+ * also passed the RAW flag (and format is non-NULL), or it is
+ * safe for us to probe the format from the file that we will
+ * be using. */
+- disk->mirrorFormat = virStorageFileProbeFormat(dest, cfg->user,
+- cfg->group);
++ mirrorFormat = virStorageFileProbeFormat(dest, cfg->user,
++ cfg->group);
+ }
+- if (!format && disk->mirrorFormat > 0)
+- format = virStorageFileFormatTypeToString(disk->mirrorFormat);
++ if (!format && mirrorFormat > 0)
++ format = virStorageFileFormatTypeToString(mirrorFormat);
+ if (VIR_STRDUP(mirror, dest) < 0)
+ goto endjob;
+
+@@ -15167,13 +15168,12 @@ qemuDomainBlockCopy(virDomainObjPtr vm,
+ /* Update vm in place to match changes. */
+ need_unlink = false;
+ disk->mirror = mirror;
++ disk->mirrorFormat = mirrorFormat;
+ mirror = NULL;
+
+ endjob:
+ if (need_unlink && unlink(dest))
+ VIR_WARN("unable to unlink just-created %s", dest);
+- if (ret < 0 && disk)
+- disk->mirrorFormat = VIR_STORAGE_FILE_NONE;
+ VIR_FREE(mirror);
+ if (qemuDomainObjEndJob(driver, vm) == 0) {
+ vm = NULL;
+--
+2.2.0
+
diff --git a/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch b/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch
new file mode 100644
index 0000000..c38d78d
--- /dev/null
+++ b/SOURCES/libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch
@@ -0,0 +1,102 @@
+From bdc1f6bf79de43824f36bfba548b523765b24fb6 Mon Sep 17 00:00:00 2001
+Message-Id: <bdc1f6bf79de43824f36bfba548b523765b24fb6@dist-git>
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 1 Oct 2014 17:41:59 -0600
+Subject: [PATCH] qemu: copy: Accept 'format' parameter when copying to a
+ non-existing img
+
+RHEL 7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1149078
+RHEL 7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1113751
+
+We have the following matrix of possible arguments handled by the logic
+statement touched by this patch:
+ | flags & _REUSE_EXT | !(flags & _REUSE_EXT)
+-------+--------------------+----------------------
+ format| (1) | (2)
+-------+--------------------+----------------------
+!format| (3) | (4)
+-------+--------------------+----------------------
+
+In cases 1 and 2 the user provided a format, in cases 3 and 4 not. The
+user requests to use a pre-existing image in 1 and 3 and libvirt will
+create a new image in 2 and 4.
+
+The difference between cases 3 and 4 is that for 3 the format is probed
+from the user-provided image, whereas in 4 we just use the existing disk
+format.
+
+The current code would treat cases 1,3 and 4 correctly but in case 2 the
+format provided by the user would be ignored.
+
+The particular piece of code was broken in commit 35c7701c64508f975dfeb8
+but since it was introduced a few commits before that it was never
+released as working.
+
+(cherry picked from commit 42619ed05d7924978f3e6e2399522fc6f30607de)
+Signed-off-by: Eric Blake <eblake@redhat.com>
+
+Conflicts:
+ src/qemu/qemu_driver.c - no refactoring of commits 7b7bf001, 4f20226
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index ea87d50..72d03b5 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15118,29 +15118,34 @@ qemuDomainBlockCopy(virDomainObjPtr vm,
+ goto endjob;
+ }
+
++ if (format) {
++ if ((mirrorFormat = virStorageFileFormatTypeFromString(format)) <= 0) {
++ virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"),
++ format);
++ goto endjob;
++ }
++ } else {
++ if (!(flags & VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT)) {
++ mirrorFormat = disk->format;
++ } else {
++ /* If the user passed the REUSE_EXT flag, then either they
++ * also passed the RAW flag (and format is non-NULL), or it is
++ * safe for us to probe the format from the file that we will
++ * be using. */
++ mirrorFormat = virStorageFileProbeFormat(dest, cfg->user,
++ cfg->group);
++ }
++ }
++
++ /* pre-create the image file */
+ if (!(flags & VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT)) {
+ int fd = qemuOpenFile(driver, vm, dest, O_WRONLY | O_TRUNC | O_CREAT,
+ &need_unlink, NULL);
+ if (fd < 0)
+ goto endjob;
+ VIR_FORCE_CLOSE(fd);
+- if (!format)
+- mirrorFormat = disk->format;
+- } else if (format) {
+- mirrorFormat = virStorageFileFormatTypeFromString(format);
+- if (mirrorFormat <= 0) {
+- virReportError(VIR_ERR_INVALID_ARG, _("unrecognized format '%s'"),
+- format);
+- goto endjob;
+- }
+- } else {
+- /* If the user passed the REUSE_EXT flag, then either they
+- * also passed the RAW flag (and format is non-NULL), or it is
+- * safe for us to probe the format from the file that we will
+- * be using. */
+- mirrorFormat = virStorageFileProbeFormat(dest, cfg->user,
+- cfg->group);
+ }
++
+ if (!format && mirrorFormat > 0)
+ format = virStorageFileFormatTypeToString(mirrorFormat);
+ if (VIR_STRDUP(mirror, dest) < 0)
+--
+2.2.0
+
diff --git a/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch b/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch
new file mode 100644
index 0000000..44001a9
--- /dev/null
+++ b/SOURCES/libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch
@@ -0,0 +1,62 @@
+From f78e7381ac369952197ffb23b02f56ee430214e7 Mon Sep 17 00:00:00 2001
+Message-Id: <f78e7381ac369952197ffb23b02f56ee430214e7@dist-git>
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 21 Aug 2014 16:07:30 -0600
+Subject: [PATCH] qemu: reject rather than hang on blockcommit of active layer
+
+7.0.z: https://bugzilla.redhat.com/show_bug.cgi?id=1150379
+7.1: https://bugzilla.redhat.com/show_bug.cgi?id=1062142
+
+qemu 2.0 added the ability to commit the active layer, but slightly
+differently than what libvirt had been anticipating in its
+implementation of the virDomainBlockCommit call. As a result, if
+you attempt to do a 'virsh blockcommit $dom vda', qemu gets into a
+state where it is waiting on libvirt to end the job, while libvirt
+is waiting on qemu to end the job, and the guest is effectively
+hung with regards to further commands for that block device.
+
+I have patches coming down the pipeline that will add full support
+for blockcommit of the active layer when coupled with qemu 2.0 or
+later; but they depend on Peter's improvements to block job handling
+and form enough of a new feature that they are not ready for
+inclusion in the 1.2.5 release. So for now, just reject the
+attempt, rather than letting the user get stuck. This is no worse
+than the behavior of qemu 1.7 rejecting the job.
+
+* src/qemu/qemu_driver.c (qemuDomainBlockCommit): Reject active
+commit.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit e6bcbcd32c70ae394e7b6a530012fe8b07a59b5d)
+
+Conflicts:
+ src/qemu/qemu_driver.c - no refactoring of virStorageFileChainLookup
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 72d03b5..1ce4c39 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -15312,6 +15312,16 @@ qemuDomainBlockCommit(virDomainPtr dom, const char *path, const char *base,
+ top, path);
+ goto endjob;
+ }
++
++ /* FIXME: qemu 2.0 supports active commit, but as a two-stage
++ * process; qemu 2.1 is further improving active commit. We need
++ * to start supporting it in libvirt. */
++ if (top_meta == disk->backingChain) {
++ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
++ _("committing the active layer not supported yet"));
++ goto endjob;
++ }
++
+ if (!top_meta || !top_meta->backingStore) {
+ virReportError(VIR_ERR_INVALID_ARG,
+ _("top '%s' in chain for '%s' has no backing file"),
+--
+2.2.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 678f294..d8dc72e 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -379,7 +379,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.1.1
-Release: 29%{?dist}.3%{?extra_release}
+Release: 29%{?dist}.4%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -906,6 +906,11 @@ Patch513: libvirt-qemu-split-out-cpuset.mems-setting.patch
Patch514: libvirt-qemu-leave-restricting-cpuset.mems-after-initialization.patch
Patch515: libvirt-CVE-2014-3633-qemu-blkiotune-Use-correct-definition-when-looking-up-disk.patch
Patch516: libvirt-domain_conf-fix-domain-deadlock.patch
+Patch517: libvirt-qemu-blockcopy-Don-t-remove-existing-disk-mirror-info.patch
+Patch518: libvirt-qemu-copy-Accept-format-parameter-when-copying-to-a-non-existing-img.patch
+Patch519: libvirt-qemu-reject-rather-than-hang-on-blockcommit-of-active-layer.patch
+Patch520: libvirt-CVE-2014-7823-dumpxml-security-hole-with-migratable-flag.patch
+Patch521: libvirt-Fix-crash-when-saving-a-domain-with-type-none-dac-label.patch
%if %{with_libvirtd}
@@ -2699,6 +2704,13 @@ exit 0
%endif
%changelog
+* Tue Dec 9 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.4
+- qemu: blockcopy: Don't remove existing disk mirror info (rhbz#1149078)
+- qemu: copy: Accept 'format' parameter when copying to a non-existing img (rhbz#1149078)
+- qemu: reject rather than hang on blockcommit of active layer (rhbz#1150379)
+- CVE-2014-7823: dumpxml: security hole with migratable flag (CVE-2014-7823)
+- Fix crash when saving a domain with type none dac label (rhbz#1171124)
+
* Tue Sep 23 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.3
- domain_conf: fix domain deadlock (CVE-2014-3657)