pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 519736 from Virtualization

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/519736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=233
This commit is contained in:
Dominique Leuenberger 2017-09-04 10:16:53 +00:00 committed by Git OBS Bridge
commit 7783e951ac
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
e4cb8500-avoid-malicious-ssh-hostname-as-args.patch Normal file
View File

@ -0,0 +1,42 @@
commit e4cb8500810a310a10a6cb359e1b53fac03ed597
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Fri Aug 11 17:19:53 2017 +0100
rpc: avoid ssh interpreting malicious hostname as arguments
Inspired by the recent GIT / Mercurial security flaws
(http://blog.recurity-labs.com/2017-08-10/scm-vulns),
consider someone/something manages to feed libvirt a bogus
URI such as:
virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
In this case, the hosname "-oProxyCommand=gnome-calculator"
will get interpreted as an argument to ssh, not a hostname.
Fortunately, due to the set of args we have following the
hostname, SSH will then interpret our bit of shell script
that runs 'nc' on the remote host as a cipher name, which is
clearly invalid. This makes ssh exit during argv parsing and
so it never tries to run gnome-calculator.
We are lucky this time, but lets be more paranoid, by using
'--' to explicitly tell SSH when it has finished seeing
command line options. This forces it to interpret
"-oProxyCommand=gnome-calculator" as a hostname, and thus
see a fail from hostname lookup.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Index: libvirt-3.6.0/src/rpc/virnetsocket.c
===================================================================
--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c
+++ libvirt-3.6.0/src/rpc/virnetsocket.c
@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char
if (!netcat)
netcat = "nc";
- virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
+ virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
virBufferEscapeShell(&buf, netcat);
if (virBufferCheckError(&buf) < 0) {

7
libvirt.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Aug 29 22:34:42 UTC 2017 - jfehlig@suse.com
- rpc: avoid ssh interpreting malicious hostname as arguments
e4cb8500-avoid-malicious-ssh-hostname-as-args.patch
bsc#1053600
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 3 17:56:42 UTC 2017 - jfehlig@suse.com Thu Aug 3 17:56:42 UTC 2017 - jfehlig@suse.com

2
libvirt.spec
View File

@ -308,6 +308,7 @@ Source100: %{name}-rpmlintrc
Patch0: 8982f3ab-util-hash-header.patch Patch0: 8982f3ab-util-hash-header.patch
Patch1: 0b1ecf7b-virHashCodeGen-mockable.patch Patch1: 0b1ecf7b-virHashCodeGen-mockable.patch
Patch2: f536b0dd-tests-arch-independent-hash.patch Patch2: f536b0dd-tests-arch-independent-hash.patch
Patch3: e4cb8500-avoid-malicious-ssh-hostname-as-args.patch
# Patches pending upstream review # Patches pending upstream review
Patch100: libxl-dom-reset.patch Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -876,6 +877,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch100 -p1 %patch100 -p1
%patch101 -p1 %patch101 -p1
%patch150 -p1 %patch150 -p1