diff --git a/8afa68ba-CVE-2019-10167.patch b/8afa68ba-CVE-2019-10167.patch new file mode 100644 index 0000000..7613b65 --- /dev/null +++ b/8afa68ba-CVE-2019-10167.patch @@ -0,0 +1,25 @@ +commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26 +Author: Ján Tomko +Date: Fri Jun 14 09:16:14 2019 +0200 + + api: disallow virConnectGetDomainCapabilities on read-only connections + + This API can be used to execute arbitrary emulators. + Forbid it on read-only connections. + + Fixes: CVE-2019-10167 + Signed-off-by: Ján Tomko + Reviewed-by: Daniel P. Berrangé + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c ++++ libvirt-5.4.0/src/libvirt-domain.c +@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConne + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; diff --git a/aed6a032-CVE-2019-10161.patch b/aed6a032-CVE-2019-10161.patch new file mode 100644 index 0000000..58dff9d --- /dev/null +++ b/aed6a032-CVE-2019-10161.patch @@ -0,0 +1,73 @@ +commit aed6a032cead4386472afb24b16196579e239580 +Author: Ján Tomko +Date: Fri Jun 14 08:47:42 2019 +0200 + + api: disallow virDomainSaveImageGetXMLDesc on read-only connections + + The virDomainSaveImageGetXMLDesc API is taking a path parameter, + which can point to any path on the system. This file will then be + read and parsed by libvirtd running with root privileges. + + Forbid it on read-only connections. + + Fixes: CVE-2019-10161 + Reported-by: Matthias Gerstner + Signed-off-by: Ján Tomko + Reviewed-by: Daniel P. Berrangé + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c ++++ libvirt-5.4.0/src/libvirt-domain.c +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only +- * connections. ++ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && +- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +Index: libvirt-5.4.0/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-5.4.0.orig/src/qemu/qemu_driver.c ++++ libvirt-5.4.0/src/qemu/qemu_driver.c +@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +Index: libvirt-5.4.0/src/remote/remote_protocol.x +=================================================================== +--- libvirt-5.4.0.orig/src/remote/remote_protocol.x ++++ libvirt-5.4.0/src/remote/remote_protocol.x +@@ -5242,8 +5242,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff --git a/bf6c2830-CVE-2019-10168.patch b/bf6c2830-CVE-2019-10168.patch new file mode 100644 index 0000000..48c09ee --- /dev/null +++ b/bf6c2830-CVE-2019-10168.patch @@ -0,0 +1,33 @@ +commit bf6c2830b6c338b1f5699b095df36f374777b291 +Author: Ján Tomko +Date: Fri Jun 14 09:17:39 2019 +0200 + + api: disallow virConnect*HypervisorCPU on read-only connections + + These APIs can be used to execute arbitrary emulators. + Forbid them on read-only connections. + + Fixes: CVE-2019-10168 + Signed-off-by: Ján Tomko + Reviewed-by: Daniel P. Berrangé + +Index: libvirt-5.4.0/src/libvirt-host.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-host.c ++++ libvirt-5.4.0/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnec + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConne + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; diff --git a/db0b7845-CVE-2019-10166.patch b/db0b7845-CVE-2019-10166.patch new file mode 100644 index 0000000..c3dad4d --- /dev/null +++ b/db0b7845-CVE-2019-10166.patch @@ -0,0 +1,27 @@ +commit db0b78457f183e4c7ac45bc94de86044a1e2056a +Author: Ján Tomko +Date: Fri Jun 14 09:14:53 2019 +0200 + + api: disallow virDomainManagedSaveDefineXML on read-only connections + + The virDomainManagedSaveDefineXML can be used to alter the domain's + config used for managedsave or even execute arbitrary emulator binaries. + Forbid it on read-only connections. + + Fixes: CVE-2019-10166 + Reported-by: Matthias Gerstner + Signed-off-by: Ján Tomko + Reviewed-by: Daniel P. Berrangé + +Index: libvirt-5.4.0/src/libvirt-domain.c +=================================================================== +--- libvirt-5.4.0.orig/src/libvirt-domain.c ++++ libvirt-5.4.0/src/libvirt-domain.c +@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainP + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; diff --git a/libvirt.changes b/libvirt.changes index b6520bb..62606dc 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Jun 20 14:55:04 UTC 2019 - Jim Fehlig + +- api: disallow virConnect*HypervisorCPU, + virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML, + and virDomainSaveImageGetXMLDesc on read-only connections + CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc.patch, + CVE-2019-10166-api-disallow-virDomainManagedSaveDefineXML.patch, + CVE-2019-10167-api-disallow-virConnectGetDomainCapabilities.patch, + CVE-2019-10168-api-disallow-virConnect-HypervisorCPU.patch + CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168 + bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305 + ------------------------------------------------------------------- Wed Jun 12 15:03:47 UTC 2019 - Dominique Leuenberger diff --git a/libvirt.spec b/libvirt.spec index 78597bc..5d7813f 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -336,6 +336,10 @@ Source6: libvirtd-relocation-server.xml Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: aed6a032-CVE-2019-10161.patch +Patch1: db0b7845-CVE-2019-10166.patch +Patch2: 8afa68ba-CVE-2019-10167.patch +Patch3: bf6c2830-CVE-2019-10168.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -868,6 +872,10 @@ libvirt plugin for NSS for translating domain names into IP addresses. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1