diff --git a/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch new file mode 100644 index 0000000..936e3ce --- /dev/null +++ b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch @@ -0,0 +1,61 @@ +From 5ed86f689f011c36e8008c30dc3dfe89bfbf280a Mon Sep 17 00:00:00 2001 +Message-Id: <5ed86f689f011c36e8008c30dc3dfe89bfbf280a@dist-git> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:56 +0100 +Subject: [PATCH] admin: reject clients unless their UID matches the current + UID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The admin protocol RPC messages are only intended for use by the user +running the daemon. As such they should not be allowed for any client +UID that does not match the server UID. + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-2-berrange@redhat.com> +--- + src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c +index b78ff902c0..9f25813ae3 100644 +--- a/src/admin/admin_server_dispatch.c ++++ b/src/admin/admin_server_dispatch.c +@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, + void *opaque) + { + struct daemonAdmClientPrivate *priv; ++ uid_t clientuid; ++ gid_t clientgid; ++ pid_t clientpid; ++ unsigned long long timestamp; ++ ++ if (virNetServerClientGetUNIXIdentity(client, ++ &clientuid, ++ &clientgid, ++ &clientpid, ++ ×tamp) < 0) ++ return NULL; ++ ++ VIR_DEBUG("New client pid %lld uid %lld", ++ (long long)clientpid, ++ (long long)clientuid); ++ ++ if (geteuid() != clientuid) { ++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), ++ (long long)clientpid, ++ (long long)clientuid); ++ return NULL; ++ } + + if (VIR_ALLOC(priv) < 0) + return NULL; +-- +2.21.0 + diff --git a/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..3d10e58 --- /dev/null +++ b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,54 @@ +From df3809f976bf16fd68cf127e1209282bd751186c Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:57 +0100 +Subject: [PATCH] locking: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlockd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-3-berrange@redhat.com> +--- + src/locking/virtlockd-admin.socket.in | 1 + + src/locking/virtlockd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in +index 2a7500f3d0..f674c492f7 100644 +--- a/src/locking/virtlockd-admin.socket.in ++++ b/src/locking/virtlockd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock + Service=virtlockd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in +index 45e0f20235..d701b27516 100644 +--- a/src/locking/virtlockd.socket.in ++++ b/src/locking/virtlockd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..92d3cb9 --- /dev/null +++ b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,54 @@ +From b3feb1b383093fd4964de274bf6c96aade1a6d7e Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:58 +0100 +Subject: [PATCH] logging: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlogd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-4-berrange@redhat.com> +--- + src/logging/virtlogd-admin.socket.in | 1 + + src/logging/virtlogd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in +index 595e6c4c4b..5c41dfeb7b 100644 +--- a/src/logging/virtlogd-admin.socket.in ++++ b/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in +index 22b9360c8d..ae48cdab9a 100644 +--- a/src/logging/virtlogd.socket.in ++++ b/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec index b16716d..59688f9 100644 --- a/SPECS/libvirt.spec +++ b/SPECS/libvirt.spec @@ -243,7 +243,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 4.5.0 -Release: 23.1%{?dist}%{?extra_release} +Release: 23.2%{?dist}%{?extra_release} License: LGPLv2+ URL: https://libvirt.org/ @@ -452,6 +452,9 @@ Patch196: libvirt-cpu_x86-Do-not-cache-microcode-version.patch Patch197: libvirt-qemu-Don-t-cache-microcode-version.patch Patch198: libvirt-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch Patch199: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch +Patch200: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch +Patch201: libvirt-locking-restrict-sockets-to-mode-0600.patch +Patch202: libvirt-logging-restrict-sockets-to-mode-0600.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2363,6 +2366,11 @@ exit 0 %changelog +* Thu May 16 2019 Jiri Denemark - 4.5.0-23.2.el8 +- admin: reject clients unless their UID matches the current UID (CVE-2019-10132) +- locking: restrict sockets to mode 0600 (CVE-2019-10132) +- logging: restrict sockets to mode 0600 (CVE-2019-10132) + * Mon May 6 2019 Jiri Denemark - 4.5.0-23.1.el8 - cpu_x86: Do not cache microcode version (CVE-2018-12130, CVE-2018-12126, CVE-2018-11091, CVE-2018-12127) - qemu: Don't cache microcode version (CVE-2018-12130, CVE-2018-12126, CVE-2018-11091, CVE-2018-12127)