From 75630acc688751ad590277dd0be4011bd26788ea61b830012f1eaf2ca516895a Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 30 Aug 2017 20:10:31 +0000 Subject: [PATCH] Accepting request 519733 from home:jfehlig:branches:Virtualization - rpc: avoid ssh interpreting malicious hostname as arguments e4cb8500-avoid-malicious-ssh-hostname-as-args.patch bsc#1053600 OBS-URL: https://build.opensuse.org/request/show/519733 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=617 --- ...avoid-malicious-ssh-hostname-as-args.patch | 42 +++++++++++++++++++ libvirt.changes | 7 ++++ libvirt.spec | 2 + 3 files changed, 51 insertions(+) create mode 100644 e4cb8500-avoid-malicious-ssh-hostname-as-args.patch diff --git a/e4cb8500-avoid-malicious-ssh-hostname-as-args.patch b/e4cb8500-avoid-malicious-ssh-hostname-as-args.patch new file mode 100644 index 0000000..05da22e --- /dev/null +++ b/e4cb8500-avoid-malicious-ssh-hostname-as-args.patch @@ -0,0 +1,42 @@ +commit e4cb8500810a310a10a6cb359e1b53fac03ed597 +Author: Daniel P. Berrange +Date: Fri Aug 11 17:19:53 2017 +0100 + + rpc: avoid ssh interpreting malicious hostname as arguments + + Inspired by the recent GIT / Mercurial security flaws + (http://blog.recurity-labs.com/2017-08-10/scm-vulns), + consider someone/something manages to feed libvirt a bogus + URI such as: + + virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system + + In this case, the hosname "-oProxyCommand=gnome-calculator" + will get interpreted as an argument to ssh, not a hostname. + Fortunately, due to the set of args we have following the + hostname, SSH will then interpret our bit of shell script + that runs 'nc' on the remote host as a cipher name, which is + clearly invalid. This makes ssh exit during argv parsing and + so it never tries to run gnome-calculator. + + We are lucky this time, but lets be more paranoid, by using + '--' to explicitly tell SSH when it has finished seeing + command line options. This forces it to interpret + "-oProxyCommand=gnome-calculator" as a hostname, and thus + see a fail from hostname lookup. + + Signed-off-by: Daniel P. Berrange + +Index: libvirt-3.6.0/src/rpc/virnetsocket.c +=================================================================== +--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c ++++ libvirt-3.6.0/src/rpc/virnetsocket.c +@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char + if (!netcat) + netcat = "nc"; + +- virCommandAddArgList(cmd, nodename, "sh", "-c", NULL); ++ virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL); + + virBufferEscapeShell(&buf, netcat); + if (virBufferCheckError(&buf) < 0) { diff --git a/libvirt.changes b/libvirt.changes index de63070..b59b56b 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Aug 29 22:34:42 UTC 2017 - jfehlig@suse.com + +- rpc: avoid ssh interpreting malicious hostname as arguments + e4cb8500-avoid-malicious-ssh-hostname-as-args.patch + bsc#1053600 + ------------------------------------------------------------------- Thu Aug 3 17:56:42 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 3c1e5b1..74db38b 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -308,6 +308,7 @@ Source100: %{name}-rpmlintrc Patch0: 8982f3ab-util-hash-header.patch Patch1: 0b1ecf7b-virHashCodeGen-mockable.patch Patch2: f536b0dd-tests-arch-independent-hash.patch +Patch3: e4cb8500-avoid-malicious-ssh-hostname-as-args.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -876,6 +877,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1