b1674ad5-CVE-2014-7823.patch bsc#904176 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=418
58 lines
2.6 KiB
Diff
58 lines
2.6 KiB
Diff
commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
|
|
Author: Eric Blake <eblake@redhat.com>
|
|
Date: Fri Oct 31 22:14:07 2014 -0600
|
|
|
|
CVE-2014-7823: dumpxml: security hole with migratable flag
|
|
|
|
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
|
|
the qemu implementation of virDomainGetXMLDesc, the use of the
|
|
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
|
|
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
|
|
prior to calling qemuDomainFormatXML. However, the use of
|
|
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
|
|
clients only. This patch treats the migratable flag as requiring
|
|
the same permissions, rather than analyzing what might break if
|
|
migratable xml no longer includes secret information.
|
|
|
|
Fortunately, the information leak is low-risk: all that is gated
|
|
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
|
|
but VNC passwords are already weak (FIPS forbids their use, and
|
|
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
|
|
password sent in plaintext over the network deserves what they
|
|
get). SPICE offers better security than VNC, and all other
|
|
secrets are properly protected by use of virSecret associations
|
|
rather than direct output in domain XML.
|
|
|
|
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
|
|
Tighten rules on use of migratable flag.
|
|
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
|
|
|
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
|
Index: libvirt-1.2.10/src/libvirt-domain.c
|
|
===================================================================
|
|
--- libvirt-1.2.10.orig/src/libvirt-domain.c
|
|
+++ libvirt-1.2.10/src/libvirt-domain.c
|
|
@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain,
|
|
virCheckDomainReturn(domain, NULL);
|
|
conn = domain->conn;
|
|
|
|
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
|
|
+ if ((conn->flags & VIR_CONNECT_RO) &&
|
|
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
|
|
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
|
_("virDomainGetXMLDesc with secure flag"));
|
|
goto error;
|
|
Index: libvirt-1.2.10/src/remote/remote_protocol.x
|
|
===================================================================
|
|
--- libvirt-1.2.10.orig/src/remote/remote_protocol.x
|
|
+++ libvirt-1.2.10/src/remote/remote_protocol.x
|
|
@@ -3255,6 +3255,7 @@ enum remote_procedure {
|
|
* @generate: both
|
|
* @acl: domain:read
|
|
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
|
|
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
|
|
*/
|
|
REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
|
|
|