pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f6a2304c86
libvirt/759b4d1b-virlog-determine-the-hostname-on-startup-CVE-2018-67.patch
Cédric Bosdonnat 63dfdb29d7 Accepting request 574765 from home:cbosdonnat:branches:Virtualization 
- Remove all uses of python2 during the build (bsc#1080034)
    6b3d716e-keycodemap-py3.patch
    apibuild-py3.patch
- Determine hostname early to avoid code injection
  in lxc driver. (bsc#1080042)
    759b4d1b-virlog-determine-the-hostname-on-startup-CVE-2018-67.patch
- Add basic support of connectGetAllDomainStats for lxc driver
  (fate#323742)
    0001-Extract-stats-functions-from-the-qemu-driver.patch
    0002-lxc-implement-connectGetAllDomainStats.patch

OBS-URL: https://build.opensuse.org/request/show/574765
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=667
2018-02-09 16:35:42 +00:00

66 lines
2.0 KiB
Diff
Raw Blame History

From 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Sat, 27 Jan 2018 23:43:58 +0100
Subject: [PATCH] virlog: determine the hostname on startup CVE-2018-6764
At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.
Notably, on a LXC container startup we may find ourselves with the guest
filesystem already having replaced the host one. Loading a NSS module
from the guest tree would allow a malicous guest to escape the
confinement of its container environment because libvirt will not yet
have locked it down.
---
src/util/virlog.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/util/virlog.c b/src/util/virlog.c
index 68439b919..9105337ce 100644
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@@ -64,6 +64,7 @@
VIR_LOG_INIT("util.log");
static regex_t *virLogRegex;
+static char *virLogHostname;
#define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
@@ -271,6 +272,12 @@ virLogOnceInit(void)
VIR_FREE(virLogRegex);
}
+ /* We get and remember the hostname early, because at later time
+ * it might not be possible to load NSS modules via getaddrinfo()
+ * (e.g. at container startup the host filesystem will not be
+ * accessible anymore. */
+ virLogHostname = virGetHostnameQuiet();
+
virLogUnlock();
return 0;
}
@@ -466,17 +473,14 @@ static int
virLogHostnameString(char **rawmsg,
char **msg)
{
- char *hostname = virGetHostnameQuiet();
char *hoststr;
- if (!hostname)
+ if (!virLogHostname)
return -1;
- if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
- VIR_FREE(hostname);
+ if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0) {
return -1;
}
- VIR_FREE(hostname);
if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
VIR_FREE(hoststr);
--
2.15.1
Reference in New Issue View Git Blame Copy Permalink