Accepting request 711170 from Virtualization

Fixes for various CVEs made public today. - api: disallow virConnect*HypervisorCPU, virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML, and virDomainSaveImageGetXMLDesc on read-only connections aed6a032-CVE-2019-10161.patch, db0b7845-CVE-2019-10166.patch, 8afa68ba-CVE-2019-10167.patch, bf6c2830-CVE-2019-10168.patch CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168 bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305 - Drop systemd BuildRequires: there is already pkgconfig(systemd) present, which is the same package. OBS-URL: https://build.opensuse.org/request/show/711170 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=286
2019-06-26 14:02:02 +00:00 · 2019-06-26 14:02:02 +00:00 · 7c7d430d2d
commit 7c7d430d2d
parent b3a1b59bd2 f96cdec896
6 changed files with 184 additions and 2 deletions
--- a/8afa68ba-CVE-2019-10167.patch
+++ b/8afa68ba-CVE-2019-10167.patch
@ -0,0 +1,25 @@
+commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:16:14 2019 +0200
+
+    api: disallow virConnectGetDomainCapabilities on read-only connections
+    
+    This API can be used to execute arbitrary emulators.
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10167
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
+++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConne
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;
--- a/aed6a032-CVE-2019-10161.patch
+++ b/aed6a032-CVE-2019-10161.patch
@ -0,0 +1,73 @@
+commit aed6a032cead4386472afb24b16196579e239580
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 08:47:42 2019 +0200
+
+    api: disallow virDomainSaveImageGetXMLDesc on read-only connections
+    
+    The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+    which can point to any path on the system. This file will then be
+    read and parsed by libvirtd running with root privileges.
+    
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10161
+    Reported-by: Matthias Gerstner <mgerstner@suse.de>
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
+++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only
+- * connections.
+ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+  * error.  The caller must free() the returned value.
+@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) &&
+-        (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+Index: libvirt-5.4.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-5.4.0.orig/src/qemu/qemu_driver.c
+++ libvirt-5.4.0/src/qemu/qemu_driver.c
+@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+Index: libvirt-5.4.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-5.4.0.orig/src/remote/remote_protocol.x
+++ libvirt-5.4.0/src/remote/remote_protocol.x
+@@ -5242,8 +5242,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 
--- a/bf6c2830-CVE-2019-10168.patch
+++ b/bf6c2830-CVE-2019-10168.patch
@ -0,0 +1,33 @@
+commit bf6c2830b6c338b1f5699b095df36f374777b291
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:17:39 2019 +0200
+
+    api: disallow virConnect*HypervisorCPU on read-only connections
+    
+    These APIs can be used to execute arbitrary emulators.
+    Forbid them on read-only connections.
+    
+    Fixes: CVE-2019-10168
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-host.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-host.c
+++ libvirt-5.4.0/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnec
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConne
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;
--- a/db0b7845-CVE-2019-10166.patch
+++ b/db0b7845-CVE-2019-10166.patch
@ -0,0 +1,27 @@
+commit db0b78457f183e4c7ac45bc94de86044a1e2056a
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:14:53 2019 +0200
+
+    api: disallow virDomainManagedSaveDefineXML on read-only connections
+    
+    The virDomainManagedSaveDefineXML can be used to alter the domain's
+    config used for managedsave or even execute arbitrary emulator binaries.
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10166
+    Reported-by: Matthias Gerstner <mgerstner@suse.de>
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
+++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainP
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
+    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Jun 20 14:55:04 UTC 2019 - Jim Fehlig <jfehlig@suse.com>
+
+- api: disallow virConnect*HypervisorCPU,
+  virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML,
+  and virDomainSaveImageGetXMLDesc on read-only connections
+  aed6a032-CVE-2019-10161.patch, db0b7845-CVE-2019-10166.patch,
+  8afa68ba-CVE-2019-10167.patch, bf6c2830-CVE-2019-10168.patch
+  CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168
+  bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305
+
+-------------------------------------------------------------------
+Wed Jun 12 15:03:47 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop systemd BuildRequires: there is already pkgconfig(systemd)
+  present, which is the same package.
+
 -------------------------------------------------------------------
 Mon Jun  3 17:05:52 UTC 2019 - Jim Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -221,7 +221,6 @@ BuildRequires:  gettext-tools
 BuildRequires:  libtool
 # Needed for virkmodtest in 'make check'
 BuildRequires:  modutils
-BuildRequires:  systemd
 BuildRequires:  pkgconfig(systemd)
 %if %{with_libxl}
 BuildRequires:  xen-devel
@ -337,6 +336,10 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         aed6a032-CVE-2019-10161.patch
+Patch1:         db0b7845-CVE-2019-10166.patch
+Patch2:         8afa68ba-CVE-2019-10167.patch
+Patch3:         bf6c2830-CVE-2019-10168.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -869,6 +872,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.

 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1