Accepting request 534485 from Virtualization

Another libvirt submission to supersede #534321. Fixes last changelog entry by adding patch name. - qemu: ensure TLS clients always verify the server certificate CVE-2017-1000256 441d3eb6-qemu-tls-client-verify-server-cert.patch bsc#1062563 - Do not ignore errors from useradd/groupadd. - Invoke/expand %service_* just once per scriptlet. - Replace some old macros. - spec: libvirt-daemon-qemu requires libvirt-daemon-driver-storage bsc#1062620 - spec: reload libvirtd Apparmor profile in %post bsc#1060860 OBS-URL: https://build.opensuse.org/request/show/534485 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=238
2017-10-21 18:20:50 +00:00 · 2017-10-21 18:20:50 +00:00 · dc5a2c690a
commit dc5a2c690a
parent cd1d33846d fe28aa861b
3 changed files with 110 additions and 18 deletions
--- a/441d3eb6-qemu-tls-client-verify-server-cert.patch
+++ b/441d3eb6-qemu-tls-client-verify-server-cert.patch
@ -0,0 +1,67 @@
+commit 441d3eb6d1be940a67ce45a286602a967601b157
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Thu Oct 5 17:54:28 2017 +0100
+
+    qemu: ensure TLS clients always verify the server certificate
+    
+    The default_tls_x509_verify (and related) parameters in qemu.conf
+    control whether the QEMU TLS servers request & verify certificates
+    from clients. This works as a simple access control system for
+    servers by requiring the CA to issue certs to permitted clients.
+    This use of client certificates is disabled by default, since it
+    requires extra work to issue client certificates.
+    
+    Unfortunately the code was using this configuration parameter when
+    setting up both TLS clients and servers in QEMU. The result was that
+    TLS clients for character devices and disk devices had verification
+    turned off, meaning they would ignore errors while validating the
+    server certificate.
+    
+    This allows for trivial MITM attacks between client and server,
+    as any certificate returned by the attacker will be accepted by
+    the client.
+    
+    This is assigned CVE-2017-1000256  / LSN-2017-0002
+    
+    Reviewed-by: Eric Blake <eblake@redhat.com>
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-3.8.0/src/qemu/qemu_command.c
+===================================================================
+--- libvirt-3.8.0.orig/src/qemu/qemu_command.c
+++ libvirt-3.8.0/src/qemu/qemu_command.c
+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": "client"),
+-                                 "b:verify-peer", verifypeer,
+                                 "b:verify-peer", (isListen ? verifypeer : true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+===================================================================
+--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
+endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+===================================================================
+--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Mon Oct 16 22:02:16 UTC 2017 - jfehlig@suse.com
+
+- qemu: ensure TLS clients always verify the server certificate
+  CVE-2017-1000256
+  441d3eb6-qemu-tls-client-verify-server-cert.patch
+  bsc#1062563
+
+-------------------------------------------------------------------
+Thu Oct 12 23:25:48 UTC 2017 - jengelh@inai.de
+
+- Do not ignore errors from useradd/groupadd.
+- Invoke/expand %service_* just once per scriptlet.
+- Replace some old macros.
+
+-------------------------------------------------------------------
+Tue Oct 10 19:50:22 UTC 2017 - jfehlig@suse.com
+
+- spec: libvirt-daemon-qemu requires libvirt-daemon-driver-storage
+  bsc#1062620
+
+-------------------------------------------------------------------
+Mon Oct  9 16:34:50 UTC 2017 - jfehlig@suse.com
+
+- spec: reload libvirtd Apparmor profile in %post
+  bsc#1060860
+
 -------------------------------------------------------------------
 Fri Oct  6 22:46:12 UTC 2017 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -251,6 +251,7 @@ BuildRequires:  libnl3-devel
 BuildRequires:  libpcap-devel
 BuildRequires:  libselinux-devel
 %if %{with_apparmor}
+BuildRequires:  apparmor-rpm-macros
 BuildRequires:  libapparmor-devel
 %endif
 BuildRequires:  dnsmasq >= 2.41
@ -310,6 +311,7 @@ Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
 Patch0:         c44b29aa-apparmor-dnsmasq-ptrace.patch
+Patch1:         441d3eb6-qemu-tls-client-verify-server-cert.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -703,6 +705,7 @@ Requires:       libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires:       libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires:       libvirt-daemon-driver-qemu = %{version}-%{release}
 Requires:       libvirt-daemon-driver-secret = %{version}-%{release}
+Requires:       libvirt-daemon-driver-storage = %{version}-%{release}

 %description daemon-qemu
 Server side daemon and driver required to manage the virtualization
@ -884,6 +887,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1
@ -1103,8 +1107,8 @@ make V=1 %{?_smp_mflags} HTML_DIR=%{_docdir}/%{name}
 gzip -9 ChangeLog

 %install
-%makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name}
-make %{?jobs:-j%jobs} -C examples distclean
+%make_install SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name}
+make %{?_smp_mflags} -C examples distclean
 cp examples/lxcconvert/virt-lxc-convert %{buildroot}/%{_bindir}
 rm -f %{buildroot}/%{_libdir}/*.la
 %if %{with_wireshark}
@ -1243,34 +1247,30 @@ do
  rm -f $i
  printf 'int main(void) { return 0; }' > $i.c
 done
-make %{?jobs:-j%jobs}
+make %{?_smp_mflags}

-if ! make %{?jobs:-j%jobs} check VIR_TEST_DEBUG=1
+if ! make %{?_smp_mflags} check VIR_TEST_DEBUG=1
 then
  cat test-suite.log || true
  exit 1
 fi

 %pre daemon
-%service_add_pre libvirtd.service
-%service_add_pre virtlockd.service virtlockd.socket
-%service_add_pre virtlogd.service virtlogd.socket
-%{_bindir}/getent group libvirt >/dev/null || \
-  %{_sbindir}/groupadd -r libvirt || :
+%{_bindir}/getent group libvirt >/dev/null || %{_sbindir}/groupadd -r libvirt
+%service_add_pre libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket

 %post daemon
 /sbin/ldconfig
-%service_add_post libvirtd.service
-%service_add_post virtlockd.service virtlockd.socket
-%service_add_post virtlogd.service virtlogd.socket
+%if %{with_apparmor}
+%apparmor_reload /etc/apparmor.d/usr.sbin.libvirtd
+%endif
+%service_add_post libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket
 %{fillup_only -n libvirtd}
 %{fillup_only -n virtlockd}
 %{fillup_only -n virtlogd}

 %preun daemon
-%service_del_preun libvirtd.service
-%service_del_preun virtlockd.service virtlockd.socket
-%service_del_preun virtlogd.service virtlogd.socket
+%service_del_preun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket

 %postun daemon
 /sbin/ldconfig
@ -1281,9 +1281,7 @@ if test $1 -eq 0 ; then
    done
    /usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
-   %service_del_postun libvirtd.service
-   %service_del_postun virtlockd.service virtlockd.socket
-   %service_del_postun virtlogd.service virtlogd.socket
+   %service_del_postun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket

 %posttrans daemon
 # All connection drivers should be installed post transaction.