Accepting request 711148 from home:jfehlig:branches:Virtualization

Fixes for CVE's made public today.

- api: disallow virConnect*HypervisorCPU,
  virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML,
  and virDomainSaveImageGetXMLDesc on read-only connections
  CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc.patch,
  CVE-2019-10166-api-disallow-virDomainManagedSaveDefineXML.patch,
  CVE-2019-10167-api-disallow-virConnectGetDomainCapabilities.patch,
  CVE-2019-10168-api-disallow-virConnect-HypervisorCPU.patch
  CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168
  bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305

OBS-URL: https://build.opensuse.org/request/show/711148
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=765

8afa68ba-CVE-2019-10167.patch

@@ -0,0 +1,25 @@
+commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:16:14 2019 +0200
+
+    api: disallow virConnectGetDomainCapabilities on read-only connections
+    
+    This API can be used to execute arbitrary emulators.
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10167
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
++++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConne
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;

aed6a032-CVE-2019-10161.patch

@@ -0,0 +1,73 @@
+commit aed6a032cead4386472afb24b16196579e239580
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 08:47:42 2019 +0200
+
+    api: disallow virDomainSaveImageGetXMLDesc on read-only connections
+    
+    The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+    which can point to any path on the system. This file will then be
+    read and parsed by libvirtd running with root privileges.
+    
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10161
+    Reported-by: Matthias Gerstner <mgerstner@suse.de>
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
++++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only
+- * connections.
++ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+  * error.  The caller must free() the returned value.
+@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) &&
+-        (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+Index: libvirt-5.4.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-5.4.0.orig/src/qemu/qemu_driver.c
++++ libvirt-5.4.0/src/qemu/qemu_driver.c
+@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+Index: libvirt-5.4.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-5.4.0.orig/src/remote/remote_protocol.x
++++ libvirt-5.4.0/src/remote/remote_protocol.x
+@@ -5242,8 +5242,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 

bf6c2830-CVE-2019-10168.patch

@@ -0,0 +1,33 @@
+commit bf6c2830b6c338b1f5699b095df36f374777b291
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:17:39 2019 +0200
+
+    api: disallow virConnect*HypervisorCPU on read-only connections
+    
+    These APIs can be used to execute arbitrary emulators.
+    Forbid them on read-only connections.
+    
+    Fixes: CVE-2019-10168
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-host.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-host.c
++++ libvirt-5.4.0/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnec
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConne
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;

db0b7845-CVE-2019-10166.patch

@@ -0,0 +1,27 @@
+commit db0b78457f183e4c7ac45bc94de86044a1e2056a
+Author: Ján Tomko <jtomko@redhat.com>
+Date:   Fri Jun 14 09:14:53 2019 +0200
+
+    api: disallow virDomainManagedSaveDefineXML on read-only connections
+    
+    The virDomainManagedSaveDefineXML can be used to alter the domain's
+    config used for managedsave or even execute arbitrary emulator binaries.
+    Forbid it on read-only connections.
+    
+    Fixes: CVE-2019-10166
+    Reported-by: Matthias Gerstner <mgerstner@suse.de>
+    Signed-off-by: Ján Tomko <jtomko@redhat.com>
+    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.4.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-5.4.0.orig/src/libvirt-domain.c
++++ libvirt-5.4.0/src/libvirt-domain.c
+@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainP
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;

libvirt.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Jun 20 14:55:04 UTC 2019 - Jim Fehlig <jfehlig@suse.com>
+
+- api: disallow virConnect*HypervisorCPU,
+  virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML,
+  and virDomainSaveImageGetXMLDesc on read-only connections
+  CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc.patch,
+  CVE-2019-10166-api-disallow-virDomainManagedSaveDefineXML.patch,
+  CVE-2019-10167-api-disallow-virConnectGetDomainCapabilities.patch,
+  CVE-2019-10168-api-disallow-virConnect-HypervisorCPU.patch
+  CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168
+  bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305
+
 -------------------------------------------------------------------
 Wed Jun 12 15:03:47 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
 

libvirt.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -336,6 +336,10 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         aed6a032-CVE-2019-10161.patch
+Patch1:         db0b7845-CVE-2019-10166.patch
+Patch2:         8afa68ba-CVE-2019-10167.patch
+Patch3:         bf6c2830-CVE-2019-10168.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@@ -868,6 +872,10 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1