diff --git a/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
new file mode 100644
index 0000000..936e3ce
--- /dev/null
+++ b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
@@ -0,0 +1,61 @@
+From 5ed86f689f011c36e8008c30dc3dfe89bfbf280a Mon Sep 17 00:00:00 2001
+Message-Id: <5ed86f689f011c36e8008c30dc3dfe89bfbf280a@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:56 +0100
+Subject: [PATCH] admin: reject clients unless their UID matches the current
+ UID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The admin protocol RPC messages are only intended for use by the user
+running the daemon. As such they should not be allowed for any client
+UID that does not match the server UID.
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-2-berrange@redhat.com>
+---
+ src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
+index b78ff902c0..9f25813ae3 100644
+--- a/src/admin/admin_server_dispatch.c
++++ b/src/admin/admin_server_dispatch.c
+@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
+ void *opaque)
+ {
+ struct daemonAdmClientPrivate *priv;
++ uid_t clientuid;
++ gid_t clientgid;
++ pid_t clientpid;
++ unsigned long long timestamp;
++
++ if (virNetServerClientGetUNIXIdentity(client,
++ &clientuid,
++ &clientgid,
++ &clientpid,
++ ×tamp) < 0)
++ return NULL;
++
++ VIR_DEBUG("New client pid %lld uid %lld",
++ (long long)clientpid,
++ (long long)clientuid);
++
++ if (geteuid() != clientuid) {
++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
++ (long long)clientpid,
++ (long long)clientuid);
++ return NULL;
++ }
+
+ if (VIR_ALLOC(priv) < 0)
+ return NULL;
+--
+2.21.0
+
diff --git a/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch
new file mode 100644
index 0000000..3d10e58
--- /dev/null
+++ b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch
@@ -0,0 +1,54 @@
+From df3809f976bf16fd68cf127e1209282bd751186c Mon Sep 17 00:00:00 2001
+Message-Id: <df3809f976bf16fd68cf127e1209282bd751186c@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:57 +0100
+Subject: [PATCH] locking: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlockd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-3-berrange@redhat.com>
+---
+ src/locking/virtlockd-admin.socket.in | 1 +
+ src/locking/virtlockd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
+index 2a7500f3d0..f674c492f7 100644
+--- a/src/locking/virtlockd-admin.socket.in
++++ b/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
+index 45e0f20235..d701b27516 100644
+--- a/src/locking/virtlockd.socket.in
++++ b/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.21.0
+
diff --git a/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch
new file mode 100644
index 0000000..92d3cb9
--- /dev/null
+++ b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch
@@ -0,0 +1,54 @@
+From b3feb1b383093fd4964de274bf6c96aade1a6d7e Mon Sep 17 00:00:00 2001
+Message-Id: <b3feb1b383093fd4964de274bf6c96aade1a6d7e@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 15 May 2019 21:40:58 +0100
+Subject: [PATCH] logging: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlogd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from a private commit)
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Message-Id: <20190515204058.28077-4-berrange@redhat.com>
+---
+ src/logging/virtlogd-admin.socket.in | 1 +
+ src/logging/virtlogd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
+index 595e6c4c4b..5c41dfeb7b 100644
+--- a/src/logging/virtlogd-admin.socket.in
++++ b/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
+index 22b9360c8d..ae48cdab9a 100644
+--- a/src/logging/virtlogd.socket.in
++++ b/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.21.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index b16716d..59688f9 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -243,7 +243,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 4.5.0
-Release: 23.1%{?dist}%{?extra_release}
+Release: 23.2%{?dist}%{?extra_release}
License: LGPLv2+
URL: https://libvirt.org/
@@ -452,6 +452,9 @@ Patch196: libvirt-cpu_x86-Do-not-cache-microcode-version.patch
Patch197: libvirt-qemu-Don-t-cache-microcode-version.patch
Patch198: libvirt-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch
Patch199: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch
+Patch200: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
+Patch201: libvirt-locking-restrict-sockets-to-mode-0600.patch
+Patch202: libvirt-logging-restrict-sockets-to-mode-0600.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2363,6 +2366,11 @@ exit 0
%changelog
+* Thu May 16 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-23.2.el8
+- admin: reject clients unless their UID matches the current UID (CVE-2019-10132)
+- locking: restrict sockets to mode 0600 (CVE-2019-10132)
+- logging: restrict sockets to mode 0600 (CVE-2019-10132)
+
* Mon May 6 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-23.1.el8
- cpu_x86: Do not cache microcode version (CVE-2018-12130, CVE-2018-12126, CVE-2018-11091, CVE-2018-12127)
- qemu: Don't cache microcode version (CVE-2018-12130, CVE-2018-12126, CVE-2018-11091, CVE-2018-12127)