diff --git a/SOURCES/libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch b/SOURCES/libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch
new file mode 100644
index 0000000..a65948b
--- /dev/null
+++ b/SOURCES/libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch
@@ -0,0 +1,102 @@
+From 00f93eb12547bbd7314394e23faf72695972efcf Mon Sep 17 00:00:00 2001
+Message-Id: <00f93eb12547bbd7314394e23faf72695972efcf@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 24 Jun 2014 16:02:37 +0200
+Subject: [PATCH] Don't use AI_ADDRCONFIG when binding to wildcard addresses
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1112692
+
+With parallel boot, network addresses might not yet be assigned [1],
+but binding to wildcard addresses should work.
+
+For non-wildcard addresses, ADDRCONFIG is still used. Document this
+in libvirtd.conf.
+
+[1] http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
+
+(cherry picked from commit 819ca36e2b65a0a34263547161a98cec497780c8)
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ daemon/libvirtd.conf | 4 ++++
+ src/rpc/virnetsocket.c | 28 ++++++++++++++++++++++++++--
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
+index 5353927..e518ae5 100644
+--- a/daemon/libvirtd.conf
++++ b/daemon/libvirtd.conf
+@@ -48,6 +48,10 @@
+ # Override the default configuration which binds to all network
+ # interfaces. This can be a numeric IPv4/6 address, or hostname
+ #
++# If the libvirtd service is started in parallel with network
++# startup (e.g. with systemd), binding to addresses other than
++# the wildcards (0.0.0.0/::) might not be available yet.
++#
+ #listen_addr = "192.168.0.1"
+
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index fcd41ca..85fedb0 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -224,15 +224,29 @@ int virNetSocketNewListenTCP(const char *nodename,
+ struct addrinfo hints;
+ int fd = -1;
+ size_t i;
+- int addrInUse = false;
++ bool addrInUse = false;
++ bool familyNotSupported = false;
++ virSocketAddr tmp_addr;
+
+ *retsocks = NULL;
+ *nretsocks = 0;
+
+ memset(&hints, 0, sizeof(hints));
+- hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
++ hints.ai_flags = AI_PASSIVE;
+ hints.ai_socktype = SOCK_STREAM;
+
++ /* Don't use ADDRCONFIG for binding to the wildcard address.
++ * Just catch the error returned by socket() if the system has
++ * no IPv6 support.
++ *
++ * This allows libvirtd to be started in parallel with the network
++ * startup in most cases.
++ */
++ if (nodename &&
++ !(virSocketAddrParse(&tmp_addr, nodename, AF_UNSPEC) > 0 &&
++ virSocketAddrIsWildcard(&tmp_addr)))
++ hints.ai_flags |= AI_ADDRCONFIG;
++
+ int e = getaddrinfo(nodename, service, &hints, &ai);
+ if (e != 0) {
+ virReportError(VIR_ERR_SYSTEM_ERROR,
+@@ -249,6 +263,11 @@ int virNetSocketNewListenTCP(const char *nodename,
+
+ if ((fd = socket(runp->ai_family, runp->ai_socktype,
+ runp->ai_protocol)) < 0) {
++ if (errno == EAFNOSUPPORT) {
++ familyNotSupported = true;
++ runp = runp->ai_next;
++ continue;
++ }
+ virReportSystemError(errno, "%s", _("Unable to create socket"));
+ goto error;
+ }
+@@ -306,6 +325,11 @@ int virNetSocketNewListenTCP(const char *nodename,
+ fd = -1;
+ }
+
++ if (nsocks == 0 && familyNotSupported) {
++ virReportSystemError(EAFNOSUPPORT, "%s", _("Unable to bind to port"));
++ goto error;
++ }
++
+ if (nsocks == 0 &&
+ addrInUse) {
+ virReportSystemError(EADDRINUSE, "%s", _("Unable to bind to port"));
+--
+2.0.0
+
diff --git a/SOURCES/libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch b/SOURCES/libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
new file mode 100644
index 0000000..a401de9
--- /dev/null
+++ b/SOURCES/libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
@@ -0,0 +1,44 @@
+From 4243ecb180e5236351d671a16201816721ee8fd2 Mon Sep 17 00:00:00 2001
+Message-Id: <4243ecb180e5236351d671a16201816721ee8fd2@dist-git>
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 6 May 2014 15:18:22 +0100
+Subject: [PATCH] LSN-2014-0003: Don't expand entities when parsing XML
+
+For CVE-2014-0179.
+
+If the XML_PARSE_NOENT flag is passed to libxml2, then any
+entities in the input document will be fully expanded. This
+allows the user to read arbitrary files on the host machine
+by creating an entity pointing to a local file. Removing
+the XML_PARSE_NOENT flag means that any entities are left
+unchanged by the parser, or expanded to "" by the XPath
+APIs.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit d6b27d3e4c40946efa79e91d134616b41b1666c4)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/util/virxml.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virxml.c b/src/util/virxml.c
+index f652ee0..4769569 100644
+--- a/src/util/virxml.c
++++ b/src/util/virxml.c
+@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode,
+
+ if (filename) {
+ xml = xmlCtxtReadFile(pctxt, filename, NULL,
+- XML_PARSE_NOENT | XML_PARSE_NONET |
++ XML_PARSE_NONET |
+ XML_PARSE_NOWARNING);
+ } else {
+ xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
+- XML_PARSE_NOENT | XML_PARSE_NONET |
++ XML_PARSE_NONET |
+ XML_PARSE_NOWARNING);
+ }
+ if (!xml)
+--
+2.0.0
+
diff --git a/SOURCES/libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch b/SOURCES/libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch
new file mode 100644
index 0000000..a1e6600
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch
@@ -0,0 +1,35 @@
+From 0fcbd4b6e8027c5d6df0a6f8900596832b4f9faa Mon Sep 17 00:00:00 2001
+Message-Id: <0fcbd4b6e8027c5d6df0a6f8900596832b4f9faa@dist-git>
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 17 Apr 2014 06:30:08 -0400
+Subject: [PATCH] qemu: Unlock the NWFilter update lock by leaving via the
+ cleanup label
+
+Fix a locking problem by leaving the function via the cleanup label.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1112690
+
+(cherry picked from commit a4209f53795290ff9f2173092800eb3f767fff3e)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/qemu/qemu_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 89be90c..475b752 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -6173,7 +6173,7 @@ qemuDomainCreateWithFlags(virDomainPtr dom, unsigned int flags)
+ virNWFilterReadLockFilterUpdates();
+
+ if (!(vm = qemuDomObjFromDomain(dom)))
+- return -1;
++ goto cleanup;
+
+ if (virDomainCreateWithFlagsEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+--
+2.0.0
+
diff --git a/SOURCES/libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch b/SOURCES/libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch
new file mode 100644
index 0000000..a2a1b71
--- /dev/null
+++ b/SOURCES/libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch
@@ -0,0 +1,55 @@
+From fc487718995019c158cbf8305b6473f0dfb61ef7 Mon Sep 17 00:00:00 2001
+Message-Id: <fc487718995019c158cbf8305b6473f0dfb61ef7@dist-git>
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 24 Jun 2014 15:44:35 +0200
+Subject: [PATCH] virNetClientSetTLSSession: Restore original signal mask
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1112689
+
+Currently, we use pthread_sigmask(SIG_BLOCK, ...) prior to calling
+poll(). This is okay, as we don't want poll() to be interrupted.
+However, then - immediately as we fall out from the poll() - we try to
+restore the original sigmask - again using SIG_BLOCK. But as the man
+page says, SIG_BLOCK adds signals to the signal mask:
+
+SIG_BLOCK
+ The set of blocked signals is the union of the current set and the set argument.
+
+Therefore, when restoring the original mask, we need to completely
+overwrite the one we set earlier and hence we should be using:
+
+SIG_SETMASK
+ The set of blocked signals is set to the argument set.
+
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 3d4b4f5ac634c123af1981084add29d3a2ca6ab0)
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/rpc/virnetclient.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
+index 9deec9e..9cb77cd 100644
+--- a/src/rpc/virnetclient.c
++++ b/src/rpc/virnetclient.c
+@@ -789,7 +789,7 @@ int virNetClientSetTLSSession(virNetClientPtr client,
+ if (ret < 0 && (errno == EAGAIN || errno == EINTR))
+ goto repoll;
+
+- ignore_value(pthread_sigmask(SIG_BLOCK, &oldmask, NULL));
++ ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
+ }
+
+ ret = virNetTLSContextCheckCertificate(tls, client->tls);
+@@ -813,7 +813,7 @@ int virNetClientSetTLSSession(virNetClientPtr client,
+ if (ret < 0 && (errno == EAGAIN || errno == EINTR))
+ goto repoll2;
+
+- ignore_value(pthread_sigmask(SIG_BLOCK, &oldmask, NULL));
++ ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
+
+ len = virNetTLSSessionRead(client->tls, buf, 1);
+ if (len < 0 && errno != ENOMSG) {
+--
+2.0.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 85c5000..6f8b47e 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -379,7 +379,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.1.1
-Release: 29%{?dist}%{?extra_release}
+Release: 29%{?dist}.1%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -898,6 +898,10 @@ Patch505: libvirt-qemu-Introduce-qemuDomainDefCheckABIStability.patch
Patch506: libvirt-nwfilter-Increase-buffer-size-for-libpcap.patch
Patch507: libvirt-nwfilter-Display-pcap-s-error-message-when-pcap-setup-fails.patch
Patch508: libvirt-nwfilter-Fix-double-free-of-pointer.patch
+Patch509: libvirt-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
+Patch510: libvirt-virNetClientSetTLSSession-Restore-original-signal-mask.patch
+Patch511: libvirt-Don-t-use-AI_ADDRCONFIG-when-binding-to-wildcard-addresses.patch
+Patch512: libvirt-qemu-Unlock-the-NWFilter-update-lock-by-leaving-via-the-cleanup-label.patch
%if %{with_libvirtd}
@@ -1695,6 +1699,22 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
+# Patches have to be stored in a temporary file because RPM has
+# a limit on the length of the result of any macro expansion;
+# if the string is longer, it's silently cropped
+%{lua:
+ tmp = os.tmpname();
+ f = io.open(tmp, "w+");
+ count = 0;
+ for i, p in ipairs(patches) do
+ f:write(p.."\n");
+ count = count + 1;
+ end;
+ f:close();
+ print("PATCHCOUNT="..count.."\n")
+ print("PATCHLIST="..tmp.."\n")
+}
+
git init -q
git config user.name rpm-build
git config user.email rpm-build
@@ -1702,9 +1722,17 @@ git config gc.auto 0
git add .
git commit -q -a --author 'rpm-build <rpm-build>' \
-m '%{name}-%{version} base'
-{
-%{lua: for i, p in ipairs(patches) do print(" echo "..p.."\n") end}
-} | xargs git am
+
+COUNT=$(grep '\.patch$' $PATCHLIST | wc -l)
+if [ $COUNT -ne $PATCHCOUNT ]; then
+ echo "Found $COUNT patches in $PATCHLIST, expected $PATCHCOUNT"
+ exit 1
+fi
+if [ $COUNT -gt 0 ]; then
+ xargs git am <$PATCHLIST || exit 1
+fi
+echo "Applied $COUNT patches"
+rm -f $PATCHLIST
%build
@@ -2667,6 +2695,12 @@ exit 0
%endif
%changelog
+* Thu Jul 3 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29.el7_0.1
+- LSN-2014-0003: Don't expand entities when parsing XML (CVE-2014-0179)
+- virNetClientSetTLSSession: Restore original signal mask (rhbz#1112689)
+- Don't use AI_ADDRCONFIG when binding to wildcard addresses (rhbz#1112692)
+- qemu: Unlock the NWFilter update lock by leaving via the cleanup label (rhbz#1112690)
+
* Mon Mar 24 2014 Jiri Denemark <jdenemar@redhat.com> - 1.1.1-29
- nwfilter: Increase buffer size for libpcap (rhbz#1078347)
- nwfilter: Display pcap's error message when pcap setup fails (rhbz#1078347)