From 9b252d250180a63cccb8f69ac3ce8cef18d9fb1dfe442a7373bbbfd7c55fa3c2 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Tue, 21 May 2019 17:48:44 +0000 Subject: [PATCH] Accepting request 704536 from home:jfehlig:branches:Virtualization - admin: reject clients unless their UID matches the server UID CVE-2019-10132 96f41cd7-admin-reject-clients.patch, f111e094-locking-restrict-sockets-to-mode-0600.patch, e37bd65f-logging-restrict-sockets-to-mode-0600.patch bsc#1134348 OBS-URL: https://build.opensuse.org/request/show/704536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=756 --- 96f41cd7-admin-reject-clients.patch | 48 +++++++++++++++++++ ...ogging-restrict-sockets-to-mode-0600.patch | 41 ++++++++++++++++ ...ocking-restrict-sockets-to-mode-0600.patch | 41 ++++++++++++++++ libvirt.changes | 10 ++++ libvirt.spec | 6 +++ 5 files changed, 146 insertions(+) create mode 100644 96f41cd7-admin-reject-clients.patch create mode 100644 e37bd65f-logging-restrict-sockets-to-mode-0600.patch create mode 100644 f111e094-locking-restrict-sockets-to-mode-0600.patch diff --git a/96f41cd7-admin-reject-clients.patch b/96f41cd7-admin-reject-clients.patch new file mode 100644 index 0000000..d24c254 --- /dev/null +++ b/96f41cd7-admin-reject-clients.patch @@ -0,0 +1,48 @@ +commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7 +Author: Daniel P. Berrangé +Date: Tue Apr 30 17:26:13 2019 +0100 + + admin: reject clients unless their UID matches the current UID + + The admin protocol RPC messages are only intended for use by the user + running the daemon. As such they should not be allowed for any client + UID that does not match the server UID. + + Fixes CVE-2019-10132 + + Reviewed-by: Ján Tomko + Signed-off-by: Daniel P. Berrangé + +Index: libvirt-5.3.0/src/admin/admin_server_dispatch.c +=================================================================== +--- libvirt-5.3.0.orig/src/admin/admin_server_dispatch.c ++++ libvirt-5.3.0/src/admin/admin_server_dispatch.c +@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr + void *opaque) + { + struct daemonAdmClientPrivate *priv; ++ uid_t clientuid; ++ gid_t clientgid; ++ pid_t clientpid; ++ unsigned long long timestamp; ++ ++ if (virNetServerClientGetUNIXIdentity(client, ++ &clientuid, ++ &clientgid, ++ &clientpid, ++ ×tamp) < 0) ++ return NULL; ++ ++ VIR_DEBUG("New client pid %lld uid %lld", ++ (long long)clientpid, ++ (long long)clientuid); ++ ++ if (geteuid() != clientuid) { ++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), ++ (long long)clientpid, ++ (long long)clientuid); ++ return NULL; ++ } + + if (VIR_ALLOC(priv) < 0) + return NULL; diff --git a/e37bd65f-logging-restrict-sockets-to-mode-0600.patch b/e37bd65f-logging-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..0e7967c --- /dev/null +++ b/e37bd65f-logging-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,41 @@ +commit e37bd65f9948c1185456b2cdaa3bd6e875af680f +Author: Daniel P. Berrangé +Date: Tue Apr 30 17:27:41 2019 +0100 + + logging: restrict sockets to mode 0600 + + The virtlogd daemon's only intended client is the libvirtd daemon. As + such it should never allow clients from other user accounts to connect. + The code already enforces this and drops clients from other UIDs, but + we can get earlier (and thus stronger) protection against DoS by setting + the socket permissions to 0600 + + Fixes CVE-2019-10132 + + Reviewed-by: Ján Tomko + Signed-off-by: Daniel P. Berrangé + +Index: libvirt-5.3.0/src/logging/virtlogd-admin.socket.in +=================================================================== +--- libvirt-5.3.0.orig/src/logging/virtlogd-admin.socket.in ++++ libvirt-5.3.0/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +Index: libvirt-5.3.0/src/logging/virtlogd.socket.in +=================================================================== +--- libvirt-5.3.0.orig/src/logging/virtlogd.socket.in ++++ libvirt-5.3.0/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target diff --git a/f111e094-locking-restrict-sockets-to-mode-0600.patch b/f111e094-locking-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..e7ce15f --- /dev/null +++ b/f111e094-locking-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,41 @@ +commit f111e09468693909b1f067aa575efdafd9a262a1 +Author: Daniel P. Berrangé +Date: Tue Apr 30 16:51:37 2019 +0100 + + locking: restrict sockets to mode 0600 + + The virtlockd daemon's only intended client is the libvirtd daemon. As + such it should never allow clients from other user accounts to connect. + The code already enforces this and drops clients from other UIDs, but + we can get earlier (and thus stronger) protection against DoS by setting + the socket permissions to 0600 + + Fixes CVE-2019-10132 + + Reviewed-by: Ján Tomko + Signed-off-by: Daniel P. Berrangé + +Index: libvirt-5.3.0/src/locking/virtlockd-admin.socket.in +=================================================================== +--- libvirt-5.3.0.orig/src/locking/virtlockd-admin.socket.in ++++ libvirt-5.3.0/src/locking/virtlockd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock + Service=virtlockd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +Index: libvirt-5.3.0/src/locking/virtlockd.socket.in +=================================================================== +--- libvirt-5.3.0.orig/src/locking/virtlockd.socket.in ++++ libvirt-5.3.0/src/locking/virtlockd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target diff --git a/libvirt.changes b/libvirt.changes index bff1a46..77af06d 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue May 21 17:15:09 UTC 2019 - James Fehlig + +- admin: reject clients unless their UID matches the server UID + CVE-2019-10132 + 96f41cd7-admin-reject-clients.patch, + f111e094-locking-restrict-sockets-to-mode-0600.patch, + e37bd65f-logging-restrict-sockets-to-mode-0600.patch + bsc#1134348 + ------------------------------------------------------------------- Mon May 20 21:50:28 UTC 2019 - James Fehlig diff --git a/libvirt.spec b/libvirt.spec index 970be91..c512450 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -339,6 +339,9 @@ Source100: %{name}-rpmlintrc # Upstream patches Patch0: 5cd9db3a-cputest-add-data-E3-1225-v5.patch Patch1: 538d8735-cpu_map-Define-md-clear-CPUID-bit.patch +Patch2: 96f41cd7-admin-reject-clients.patch +Patch3: f111e094-locking-restrict-sockets-to-mode-0600.patch +Patch4: e37bd65f-logging-restrict-sockets-to-mode-0600.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -874,6 +877,9 @@ libvirt plugin for NSS for translating domain names into IP addresses. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1