Accepting request 704536 from home:jfehlig:branches:Virtualization
- admin: reject clients unless their UID matches the server UID CVE-2019-10132 96f41cd7-admin-reject-clients.patch, f111e094-locking-restrict-sockets-to-mode-0600.patch, e37bd65f-logging-restrict-sockets-to-mode-0600.patch bsc#1134348 OBS-URL: https://build.opensuse.org/request/show/704536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=756
This commit is contained in:
parent
30cdfb8cae
commit
9b252d2501
48
96f41cd7-admin-reject-clients.patch
Normal file
48
96f41cd7-admin-reject-clients.patch
Normal file
@ -0,0 +1,48 @@
|
||||
commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7
|
||||
Author: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Date: Tue Apr 30 17:26:13 2019 +0100
|
||||
|
||||
admin: reject clients unless their UID matches the current UID
|
||||
|
||||
The admin protocol RPC messages are only intended for use by the user
|
||||
running the daemon. As such they should not be allowed for any client
|
||||
UID that does not match the server UID.
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-5.3.0/src/admin/admin_server_dispatch.c
|
||||
===================================================================
|
||||
--- libvirt-5.3.0.orig/src/admin/admin_server_dispatch.c
|
||||
+++ libvirt-5.3.0/src/admin/admin_server_dispatch.c
|
||||
@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr
|
||||
void *opaque)
|
||||
{
|
||||
struct daemonAdmClientPrivate *priv;
|
||||
+ uid_t clientuid;
|
||||
+ gid_t clientgid;
|
||||
+ pid_t clientpid;
|
||||
+ unsigned long long timestamp;
|
||||
+
|
||||
+ if (virNetServerClientGetUNIXIdentity(client,
|
||||
+ &clientuid,
|
||||
+ &clientgid,
|
||||
+ &clientpid,
|
||||
+ ×tamp) < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ VIR_DEBUG("New client pid %lld uid %lld",
|
||||
+ (long long)clientpid,
|
||||
+ (long long)clientuid);
|
||||
+
|
||||
+ if (geteuid() != clientuid) {
|
||||
+ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
|
||||
+ (long long)clientpid,
|
||||
+ (long long)clientuid);
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
if (VIR_ALLOC(priv) < 0)
|
||||
return NULL;
|
41
e37bd65f-logging-restrict-sockets-to-mode-0600.patch
Normal file
41
e37bd65f-logging-restrict-sockets-to-mode-0600.patch
Normal file
@ -0,0 +1,41 @@
|
||||
commit e37bd65f9948c1185456b2cdaa3bd6e875af680f
|
||||
Author: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Date: Tue Apr 30 17:27:41 2019 +0100
|
||||
|
||||
logging: restrict sockets to mode 0600
|
||||
|
||||
The virtlogd daemon's only intended client is the libvirtd daemon. As
|
||||
such it should never allow clients from other user accounts to connect.
|
||||
The code already enforces this and drops clients from other UIDs, but
|
||||
we can get earlier (and thus stronger) protection against DoS by setting
|
||||
the socket permissions to 0600
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
|
||||
===================================================================
|
||||
--- libvirt-5.3.0.orig/src/logging/virtlogd-admin.socket.in
|
||||
+++ libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
|
||||
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
|
||||
Service=virtlogd.service
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
Index: libvirt-5.3.0/src/logging/virtlogd.socket.in
|
||||
===================================================================
|
||||
--- libvirt-5.3.0.orig/src/logging/virtlogd.socket.in
|
||||
+++ libvirt-5.3.0/src/logging/virtlogd.socket.in
|
||||
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
41
f111e094-locking-restrict-sockets-to-mode-0600.patch
Normal file
41
f111e094-locking-restrict-sockets-to-mode-0600.patch
Normal file
@ -0,0 +1,41 @@
|
||||
commit f111e09468693909b1f067aa575efdafd9a262a1
|
||||
Author: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Date: Tue Apr 30 16:51:37 2019 +0100
|
||||
|
||||
locking: restrict sockets to mode 0600
|
||||
|
||||
The virtlockd daemon's only intended client is the libvirtd daemon. As
|
||||
such it should never allow clients from other user accounts to connect.
|
||||
The code already enforces this and drops clients from other UIDs, but
|
||||
we can get earlier (and thus stronger) protection against DoS by setting
|
||||
the socket permissions to 0600
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
Index: libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
|
||||
===================================================================
|
||||
--- libvirt-5.3.0.orig/src/locking/virtlockd-admin.socket.in
|
||||
+++ libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
|
||||
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
|
||||
Service=virtlockd.service
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
Index: libvirt-5.3.0/src/locking/virtlockd.socket.in
|
||||
===================================================================
|
||||
--- libvirt-5.3.0.orig/src/locking/virtlockd.socket.in
|
||||
+++ libvirt-5.3.0/src/locking/virtlockd.socket.in
|
||||
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 21 17:15:09 UTC 2019 - James Fehlig <jfehlig@suse.com>
|
||||
|
||||
- admin: reject clients unless their UID matches the server UID
|
||||
CVE-2019-10132
|
||||
96f41cd7-admin-reject-clients.patch,
|
||||
f111e094-locking-restrict-sockets-to-mode-0600.patch,
|
||||
e37bd65f-logging-restrict-sockets-to-mode-0600.patch
|
||||
bsc#1134348
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 20 21:50:28 UTC 2019 - James Fehlig <jfehlig@suse.com>
|
||||
|
||||
|
@ -339,6 +339,9 @@ Source100: %{name}-rpmlintrc
|
||||
# Upstream patches
|
||||
Patch0: 5cd9db3a-cputest-add-data-E3-1225-v5.patch
|
||||
Patch1: 538d8735-cpu_map-Define-md-clear-CPUID-bit.patch
|
||||
Patch2: 96f41cd7-admin-reject-clients.patch
|
||||
Patch3: f111e094-locking-restrict-sockets-to-mode-0600.patch
|
||||
Patch4: e37bd65f-logging-restrict-sockets-to-mode-0600.patch
|
||||
# Patches pending upstream review
|
||||
Patch100: libxl-dom-reset.patch
|
||||
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
|
||||
@ -874,6 +877,9 @@ libvirt plugin for NSS for translating domain names into IP addresses.
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch100 -p1
|
||||
%patch101 -p1
|
||||
%patch150 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user