libvirt/034e47c3-CVE-2015-5313.patch

commit 034e47c338b13a95cf02106a3af912c1c5f818d7
Author: Eric Blake <eblake@redhat.com>
Date:   Tue Dec 8 17:46:31 2015 -0700

    CVE-2015-5313: storage: don't allow '/' in filesystem volume names
    
    The libvirt file system storage driver determines what file to
    act on by concatenating the pool location with the volume name.
    If a user is able to pick names like "../../../etc/passwd", then
    they can escape the bounds of the pool.  For that matter,
    virStoragePoolListVolumes() doesn't descend into subdirectories,
    so a user really shouldn't use a name with a slash.
    
    Normally, only privileged users can coerce libvirt into creating
    or opening existing files using the virStorageVol APIs; and such
    users already have full privilege to create any domain XML (so it
    is not an escalation of privilege).  But in the case of
    fine-grained ACLs, it is feasible that a user can be granted
    storage_vol:create but not domain:write, and it violates
    assumptions if such a user can abuse libvirt to access files
    outside of the storage pool.
    
    Therefore, prevent all use of volume names that contain "/",
    whether or not such a name is actually attempting to escape the
    pool.
    
    This changes things from:
    
    $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
    Vol ../../../../../../etc/haha created
    $ rm /etc/haha
    
    to:
    
    $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
    error: Failed to create vol ../../../../../../etc/haha
    error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
    
    Signed-off-by: Eric Blake <eblake@redhat.com>

Index: libvirt-1.3.0/src/storage/storage_backend_fs.c
===================================================================
--- libvirt-1.3.0.orig/src/storage/storage_backend_fs.c
+++ libvirt-1.3.0/src/storage/storage_backend_fs.c
@@ -1,7 +1,7 @@
 /*
  * storage_backend_fs.c: storage backend for FS and directory handling
  *
- * Copyright (C) 2007-2014 Red Hat, Inc.
+ * Copyright (C) 2007-2015 Red Hat, Inc.
  * Copyright (C) 2007-2008 Daniel P. Berrange
  *
  * This library is free software; you can redistribute it and/or
@@ -1057,6 +1057,14 @@ virStorageBackendFileSystemVolCreate(vir
     else
         vol->type = VIR_STORAGE_VOL_FILE;
 
+    /* Volumes within a directory pools are not recursive; do not
+     * allow escape to ../ or a subdir */
+    if (strchr(vol->name, '/')) {
+        virReportError(VIR_ERR_OPERATION_INVALID,
+                       _("volume name '%s' cannot contain '/'"), vol->name);
+        return -1;
+    }
+
     VIR_FREE(vol->target.path);
     if (virAsprintf(&vol->target.path, "%s/%s",
                     pool->def->target.path,
Accepting request 349565 from home:jfehlig:branches:Virtualization - CVE-2015-5313: don't allow '/' in filesystem volume names 034e47c3-CVE-2015-5313.patch bsc#953110 - Fix failing qemuxml2argv test on 32-bit platforms ace1ee22-qemuxml2argv-test.patch - Update to libvirt 1.3.0 - New virtlogd log daemon - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patch: 703ec1b7-qemu-bridge-helper-fix.patch - Added patch: virtlogd-init-script.patch OBS-URL: https://build.opensuse.org/request/show/349565 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=505 2015-12-18 21:01:20 +00:00			`commit 034e47c338b13a95cf02106a3af912c1c5f818d7`
			`Author: Eric Blake <eblake@redhat.com>`
			`Date: Tue Dec 8 17:46:31 2015 -0700`

			`CVE-2015-5313: storage: don't allow '/' in filesystem volume names`

			`The libvirt file system storage driver determines what file to`
			`act on by concatenating the pool location with the volume name.`
			`If a user is able to pick names like "../../../etc/passwd", then`
			`they can escape the bounds of the pool. For that matter,`
			`virStoragePoolListVolumes() doesn't descend into subdirectories,`
			`so a user really shouldn't use a name with a slash.`

			`Normally, only privileged users can coerce libvirt into creating`
			`or opening existing files using the virStorageVol APIs; and such`
			`users already have full privilege to create any domain XML (so it`
			`is not an escalation of privilege). But in the case of`
			`fine-grained ACLs, it is feasible that a user can be granted`
			`storage_vol:create but not domain:write, and it violates`
			`assumptions if such a user can abuse libvirt to access files`
			`outside of the storage pool.`

			`Therefore, prevent all use of volume names that contain "/",`
			`whether or not such a name is actually attempting to escape the`
			`pool.`

			`This changes things from:`

			`$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128`
			`Vol ../../../../../../etc/haha created`
			`$ rm /etc/haha`

			`to:`

			`$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128`
			`error: Failed to create vol ../../../../../../etc/haha`
			`error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'`

			`Signed-off-by: Eric Blake <eblake@redhat.com>`

			`Index: libvirt-1.3.0/src/storage/storage_backend_fs.c`
			`===================================================================`
			`--- libvirt-1.3.0.orig/src/storage/storage_backend_fs.c`
			`+++ libvirt-1.3.0/src/storage/storage_backend_fs.c`
			`@@ -1,7 +1,7 @@`
			`/*`
			`* storage_backend_fs.c: storage backend for FS and directory handling`
			`*`
			`- * Copyright (C) 2007-2014 Red Hat, Inc.`
			`+ * Copyright (C) 2007-2015 Red Hat, Inc.`
			`* Copyright (C) 2007-2008 Daniel P. Berrange`
			`*`
			`* This library is free software; you can redistribute it and/or`
			`@@ -1057,6 +1057,14 @@ virStorageBackendFileSystemVolCreate(vir`
			`else`
			`vol->type = VIR_STORAGE_VOL_FILE;`

			`+ /* Volumes within a directory pools are not recursive; do not`
			`+ * allow escape to ../ or a subdir */`
			`+ if (strchr(vol->name, '/')) {`
			`+ virReportError(VIR_ERR_OPERATION_INVALID,`
			`+ _("volume name '%s' cannot contain '/'"), vol->name);`
			`+ return -1;`
			`+ }`
			`+`
			`VIR_FREE(vol->target.path);`
			`if (virAsprintf(&vol->target.path, "%s/%s",`
			`pool->def->target.path,`