Accepting request 519736 from Virtualization

1

OBS-URL: https://build.opensuse.org/request/show/519736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=233

e4cb8500-avoid-malicious-ssh-hostname-as-args.patch

@@ -0,0 +1,42 @@
+commit e4cb8500810a310a10a6cb359e1b53fac03ed597
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Fri Aug 11 17:19:53 2017 +0100
+
+    rpc: avoid ssh interpreting malicious hostname as arguments
+    
+    Inspired by the recent GIT / Mercurial security flaws
+    (http://blog.recurity-labs.com/2017-08-10/scm-vulns),
+    consider someone/something manages to feed libvirt a bogus
+    URI such as:
+    
+      virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
+    
+    In this case, the hosname "-oProxyCommand=gnome-calculator"
+    will get interpreted as an argument to ssh, not a hostname.
+    Fortunately, due to the set of args we have following the
+    hostname, SSH will then interpret our bit of shell script
+    that runs 'nc' on the remote host as a cipher name, which is
+    clearly invalid. This makes ssh exit during argv parsing and
+    so it never tries to run gnome-calculator.
+    
+    We are lucky this time, but lets be more paranoid, by using
+    '--' to explicitly tell SSH when it has finished seeing
+    command line options. This forces it to interpret
+    "-oProxyCommand=gnome-calculator" as a hostname, and thus
+    see a fail from hostname lookup.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-3.6.0/src/rpc/virnetsocket.c
+===================================================================
+--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c
++++ libvirt-3.6.0/src/rpc/virnetsocket.c
+@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char
+     if (!netcat)
+         netcat = "nc";
+ 
+-    virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
++    virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
+ 
+     virBufferEscapeShell(&buf, netcat);
+     if (virBufferCheckError(&buf) < 0) {

libvirt.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug 29 22:34:42 UTC 2017 - jfehlig@suse.com
+
+- rpc: avoid ssh interpreting malicious hostname as arguments
+  e4cb8500-avoid-malicious-ssh-hostname-as-args.patch
+  bsc#1053600
+
 -------------------------------------------------------------------
 Thu Aug  3 17:56:42 UTC 2017 - jfehlig@suse.com
 

libvirt.spec

@@ -308,6 +308,7 @@ Source100:      %{name}-rpmlintrc
 Patch0:         8982f3ab-util-hash-header.patch
 Patch1:         0b1ecf7b-virHashCodeGen-mockable.patch
 Patch2:         f536b0dd-tests-arch-independent-hash.patch
+Patch3:         e4cb8500-avoid-malicious-ssh-hostname-as-args.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@@ -876,6 +877,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1