libvirt/e4cb8500-avoid-malicious-ssh-hostname-as-args.patch

commit e4cb8500810a310a10a6cb359e1b53fac03ed597
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Aug 11 17:19:53 2017 +0100

    rpc: avoid ssh interpreting malicious hostname as arguments
    
    Inspired by the recent GIT / Mercurial security flaws
    (http://blog.recurity-labs.com/2017-08-10/scm-vulns),
    consider someone/something manages to feed libvirt a bogus
    URI such as:
    
      virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
    
    In this case, the hosname "-oProxyCommand=gnome-calculator"
    will get interpreted as an argument to ssh, not a hostname.
    Fortunately, due to the set of args we have following the
    hostname, SSH will then interpret our bit of shell script
    that runs 'nc' on the remote host as a cipher name, which is
    clearly invalid. This makes ssh exit during argv parsing and
    so it never tries to run gnome-calculator.
    
    We are lucky this time, but lets be more paranoid, by using
    '--' to explicitly tell SSH when it has finished seeing
    command line options. This forces it to interpret
    "-oProxyCommand=gnome-calculator" as a hostname, and thus
    see a fail from hostname lookup.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-3.6.0/src/rpc/virnetsocket.c
===================================================================
--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c
+++ libvirt-3.6.0/src/rpc/virnetsocket.c
@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char
     if (!netcat)
         netcat = "nc";
 
-    virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
+    virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
 
     virBufferEscapeShell(&buf, netcat);
     if (virBufferCheckError(&buf) < 0) {
Accepting request 519733 from home:jfehlig:branches:Virtualization - rpc: avoid ssh interpreting malicious hostname as arguments e4cb8500-avoid-malicious-ssh-hostname-as-args.patch bsc#1053600 OBS-URL: https://build.opensuse.org/request/show/519733 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=617 2017-08-30 22:10:31 +02:00			`commit e4cb8500810a310a10a6cb359e1b53fac03ed597`
			`Author: Daniel P. Berrange <berrange@redhat.com>`
			`Date: Fri Aug 11 17:19:53 2017 +0100`

			`rpc: avoid ssh interpreting malicious hostname as arguments`

			`Inspired by the recent GIT / Mercurial security flaws`
			`(http://blog.recurity-labs.com/2017-08-10/scm-vulns),`
			`consider someone/something manages to feed libvirt a bogus`
			`URI such as:`

			`virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system`

			`In this case, the hosname "-oProxyCommand=gnome-calculator"`
			`will get interpreted as an argument to ssh, not a hostname.`
			`Fortunately, due to the set of args we have following the`
			`hostname, SSH will then interpret our bit of shell script`
			`that runs 'nc' on the remote host as a cipher name, which is`
			`clearly invalid. This makes ssh exit during argv parsing and`
			`so it never tries to run gnome-calculator.`

			`We are lucky this time, but lets be more paranoid, by using`
			`'--' to explicitly tell SSH when it has finished seeing`
			`command line options. This forces it to interpret`
			`"-oProxyCommand=gnome-calculator" as a hostname, and thus`
			`see a fail from hostname lookup.`

			`Signed-off-by: Daniel P. Berrange <berrange@redhat.com>`

			`Index: libvirt-3.6.0/src/rpc/virnetsocket.c`
			`===================================================================`
			`--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c`
			`+++ libvirt-3.6.0/src/rpc/virnetsocket.c`
			`@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char`
			`if (!netcat)`
			`netcat = "nc";`

			`- virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);`
			`+ virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);`

			`virBufferEscapeShell(&buf, netcat);`
			`if (virBufferCheckError(&buf) < 0) {`