libvirt/ae076bb4-remote-CVE-2019-3886.patch

commit ae076bb40e0e150aef41361b64001138d04d6c60
Author: Daniel P. Berrangé <berrange@redhat.com>
Date:   Wed Mar 27 11:22:49 2019 +0000

    remote: enforce ACL write permission for getting guest time & hostname
    
    Getting the guest time and hostname both require use of guest agent
    commands. These must not be allowed for read-only users, so the
    permissions check must validate "write" permission not "read".
    
    Fixes CVE-2019-3886
    Reviewed-by: Jim Fehlig <jfehlig@suse.com>
    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-5.2.0/src/remote/remote_protocol.x
===================================================================
--- libvirt-5.2.0.orig/src/remote/remote_protocol.x
+++ libvirt-5.2.0/src/remote/remote_protocol.x
@@ -5513,7 +5513,7 @@ enum remote_procedure {
 
     /**
      * @generate: both
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
 
@@ -5908,7 +5908,7 @@ enum remote_procedure {
 
     /**
      * @generate: none
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_TIME = 337,
Accepting request 693774 from home:jfehlig:branches:Virtualization Properly fix failing tests. - Fix and re-enable snapshot tests f66f70ac-snapshot-fix-use-after-free.patch 2a07c990-api-CVE-2019-3886.patch, ae076bb4-remote-CVE-2019-3886.patch - spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch ebe9c6ea-qemu-firmware-dirent.patch OBS-URL: https://build.opensuse.org/request/show/693774 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=746 2019-04-12 15:52:39 +00:00			`commit ae076bb40e0e150aef41361b64001138d04d6c60`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`Author: Daniel P. Berrangé <berrange@redhat.com>`
Accepting request 693774 from home:jfehlig:branches:Virtualization Properly fix failing tests. - Fix and re-enable snapshot tests f66f70ac-snapshot-fix-use-after-free.patch 2a07c990-api-CVE-2019-3886.patch, ae076bb4-remote-CVE-2019-3886.patch - spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch ebe9c6ea-qemu-firmware-dirent.patch OBS-URL: https://build.opensuse.org/request/show/693774 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=746 2019-04-12 15:52:39 +00:00			`Date: Wed Mar 27 11:22:49 2019 +0000`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00
			`remote: enforce ACL write permission for getting guest time & hostname`

			`Getting the guest time and hostname both require use of guest agent`
			`commands. These must not be allowed for read-only users, so the`
			`permissions check must validate "write" permission not "read".`

			`Fixes CVE-2019-3886`
Accepting request 693774 from home:jfehlig:branches:Virtualization Properly fix failing tests. - Fix and re-enable snapshot tests f66f70ac-snapshot-fix-use-after-free.patch 2a07c990-api-CVE-2019-3886.patch, ae076bb4-remote-CVE-2019-3886.patch - spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch ebe9c6ea-qemu-firmware-dirent.patch OBS-URL: https://build.opensuse.org/request/show/693774 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=746 2019-04-12 15:52:39 +00:00			`Reviewed-by: Jim Fehlig <jfehlig@suse.com>`
Accepting request 692393 from home:jfehlig:branches:Virtualization - CVE-2019-3886: disallow virDomainGetHostname and virDomainGetTime for read-only connections and users CVE-2019-3886-api.patch, CVE-2019-3886-remote.patch bsc#1131595 - spec: BuildRequires rpcgen since CVE-2019-3886-remote.patch touches remote_protocol.x - Update to libvirt 5.2.0 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: 4ec3cf9a-apparmor-rules.patch, f38ef0fa-no-RDMA-check.patch, 411cdaf8-apparmor-check-profile-name.patch, 696239ba-qemu-fix-query-cpus-fast.patch, 09eb1ae0-conf-add-xenbus-controller.patch, fb059757-libxl-add-xenbus-controller.patch, ec5a1191-libxl-support-max-grant-frames.patch, 5a64c202-xenconfig-support-max-grant-frames.patch - Added patches: ff376c62-tests-fix-mocking-stat-lstat.patch, mprivozn-test-fix-proposal.patch OBS-URL: https://build.opensuse.org/request/show/692393 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=745 2019-04-08 22:27:41 +00:00			`Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>`

			`Index: libvirt-5.2.0/src/remote/remote_protocol.x`
			`===================================================================`
			`--- libvirt-5.2.0.orig/src/remote/remote_protocol.x`
			`+++ libvirt-5.2.0/src/remote/remote_protocol.x`
			`@@ -5513,7 +5513,7 @@ enum remote_procedure {`

			`/**`
			`* @generate: both`
			`- * @acl: domain:read`
			`+ * @acl: domain:write`
			`*/`
			`REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,`

			`@@ -5908,7 +5908,7 @@ enum remote_procedure {`

			`/**`
			`* @generate: none`
			`- * @acl: domain:read`
			`+ * @acl: domain:write`
			`*/`
			`REMOTE_PROC_DOMAIN_GET_TIME = 337,`