diff --git a/b1674ad5-CVE-2014-7823.patch b/b1674ad5-CVE-2014-7823.patch new file mode 100644 index 0000000..95c316a --- /dev/null +++ b/b1674ad5-CVE-2014-7823.patch @@ -0,0 +1,57 @@ +commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b +Author: Eric Blake +Date: Fri Oct 31 22:14:07 2014 -0600 + + CVE-2014-7823: dumpxml: security hole with migratable flag + + Commit 28f8dfd (v1.0.0) introduced a security hole: in at least + the qemu implementation of virDomainGetXMLDesc, the use of the + flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only + connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE + prior to calling qemuDomainFormatXML. However, the use of + VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write + clients only. This patch treats the migratable flag as requiring + the same permissions, rather than analyzing what might break if + migratable xml no longer includes secret information. + + Fortunately, the information leak is low-risk: all that is gated + by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; + but VNC passwords are already weak (FIPS forbids their use, and + on a non-FIPS machine, anyone stupid enough to trust a max-8-byte + password sent in plaintext over the network deserves what they + get). SPICE offers better security than VNC, and all other + secrets are properly protected by use of virSecret associations + rather than direct output in domain XML. + + * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): + Tighten rules on use of migratable flag. + * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. + + Signed-off-by: Eric Blake + +Index: libvirt-1.2.10/src/libvirt-domain.c +=================================================================== +--- libvirt-1.2.10.orig/src/libvirt-domain.c ++++ libvirt-1.2.10/src/libvirt-domain.c +@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain, + virCheckDomainReturn(domain, NULL); + conn = domain->conn; + +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { ++ if ((conn->flags & VIR_CONNECT_RO) && ++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) { + virReportError(VIR_ERR_OPERATION_DENIED, "%s", + _("virDomainGetXMLDesc with secure flag")); + goto error; +Index: libvirt-1.2.10/src/remote/remote_protocol.x +=================================================================== +--- libvirt-1.2.10.orig/src/remote/remote_protocol.x ++++ libvirt-1.2.10/src/remote/remote_protocol.x +@@ -3255,6 +3255,7 @@ enum remote_procedure { + * @generate: both + * @acl: domain:read + * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE + */ + REMOTE_PROC_DOMAIN_GET_XML_DESC = 14, + diff --git a/libvirt.changes b/libvirt.changes index 59b7927..a7d3751 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com + +- CVE-2014-7823: dumpxml: security hole with migratable flag + b1674ad5-CVE-2014-7823.patch + bsc#904176 + ------------------------------------------------------------------- Mon Nov 3 11:08:49 MST 2014 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 2a9a9b8..99c83ab 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -434,6 +434,7 @@ Source3: libvirtd.init Source4: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: b1674ad5-CVE-2014-7823.patch # Patches pending upstream review # Need to go upstream Patch150: xen-name-for-devid.patch @@ -965,6 +966,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q +%patch0 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1