376a708d02
Properly fix failing tests.
- Fix and re-enable snapshot tests
f66f70ac-snapshot-fix-use-after-free.patch
2a07c990-api-CVE-2019-3886.patch,
ae076bb4-remote-CVE-2019-3886.patch
- spec: BuildRequires rpcgen since ae076bb4-remote-CVE-2019-3886.patch
ebe9c6ea-qemu-firmware-dirent.patch
OBS-URL: https://build.opensuse.org/request/show/693774
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=746
37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
commit ae076bb40e0e150aef41361b64001138d04d6c60
|
|
Author: Daniel P. Berrangé <berrange@redhat.com>
|
|
Date: Wed Mar 27 11:22:49 2019 +0000
|
|
|
|
remote: enforce ACL write permission for getting guest time & hostname
|
|
|
|
Getting the guest time and hostname both require use of guest agent
|
|
commands. These must not be allowed for read-only users, so the
|
|
permissions check must validate "write" permission not "read".
|
|
|
|
Fixes CVE-2019-3886
|
|
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
|
Index: libvirt-5.2.0/src/remote/remote_protocol.x
|
|
===================================================================
|
|
--- libvirt-5.2.0.orig/src/remote/remote_protocol.x
|
|
+++ libvirt-5.2.0/src/remote/remote_protocol.x
|
|
@@ -5513,7 +5513,7 @@ enum remote_procedure {
|
|
|
|
/**
|
|
* @generate: both
|
|
- * @acl: domain:read
|
|
+ * @acl: domain:write
|
|
*/
|
|
REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
|
|
|
|
@@ -5908,7 +5908,7 @@ enum remote_procedure {
|
|
|
|
/**
|
|
* @generate: none
|
|
- * @acl: domain:read
|
|
+ * @acl: domain:write
|
|
*/
|
|
REMOTE_PROC_DOMAIN_GET_TIME = 337,
|
|
|