Accepting request 704536 from home:jfehlig:branches:Virtualization

- admin: reject clients unless their UID matches the server UID
  CVE-2019-10132
  96f41cd7-admin-reject-clients.patch,
  f111e094-locking-restrict-sockets-to-mode-0600.patch,
  e37bd65f-logging-restrict-sockets-to-mode-0600.patch
  bsc#1134348

OBS-URL: https://build.opensuse.org/request/show/704536
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=756

96f41cd7-admin-reject-clients.patch

@@ -0,0 +1,48 @@
+commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 17:26:13 2019 +0100
+
+    admin: reject clients unless their UID matches the current UID
+    
+    The admin protocol RPC messages are only intended for use by the user
+    running the daemon. As such they should not be allowed for any client
+    UID that does not match the server UID.
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/admin/admin_server_dispatch.c
+===================================================================
+--- libvirt-5.3.0.orig/src/admin/admin_server_dispatch.c
++++ libvirt-5.3.0/src/admin/admin_server_dispatch.c
+@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr
+                    void *opaque)
+ {
+     struct daemonAdmClientPrivate *priv;
++    uid_t clientuid;
++    gid_t clientgid;
++    pid_t clientpid;
++    unsigned long long timestamp;
++
++    if (virNetServerClientGetUNIXIdentity(client,
++                                          &clientuid,
++                                          &clientgid,
++                                          &clientpid,
++                                          &timestamp) < 0)
++        return NULL;
++
++    VIR_DEBUG("New client pid %lld uid %lld",
++              (long long)clientpid,
++              (long long)clientuid);
++
++    if (geteuid() != clientuid) {
++        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
++                                 (long long)clientpid,
++                                 (long long)clientuid);
++        return NULL;
++    }
+ 
+     if (VIR_ALLOC(priv) < 0)
+         return NULL;

e37bd65f-logging-restrict-sockets-to-mode-0600.patch

@@ -0,0 +1,41 @@
+commit e37bd65f9948c1185456b2cdaa3bd6e875af680f
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 17:27:41 2019 +0100
+
+    logging: restrict sockets to mode 0600
+    
+    The virtlogd daemon's only intended client is the libvirtd daemon. As
+    such it should never allow clients from other user accounts to connect.
+    The code already enforces this and drops clients from other UIDs, but
+    we can get earlier (and thus stronger) protection against DoS by setting
+    the socket permissions to 0600
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/logging/virtlogd-admin.socket.in
++++ libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+Index: libvirt-5.3.0/src/logging/virtlogd.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/logging/virtlogd.socket.in
++++ libvirt-5.3.0/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target

f111e094-locking-restrict-sockets-to-mode-0600.patch

@@ -0,0 +1,41 @@
+commit f111e09468693909b1f067aa575efdafd9a262a1
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 16:51:37 2019 +0100
+
+    locking: restrict sockets to mode 0600
+    
+    The virtlockd daemon's only intended client is the libvirtd daemon. As
+    such it should never allow clients from other user accounts to connect.
+    The code already enforces this and drops clients from other UIDs, but
+    we can get earlier (and thus stronger) protection against DoS by setting
+    the socket permissions to 0600
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/locking/virtlockd-admin.socket.in
++++ libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+Index: libvirt-5.3.0/src/locking/virtlockd.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/locking/virtlockd.socket.in
++++ libvirt-5.3.0/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target

libvirt.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue May 21 17:15:09 UTC 2019 - James Fehlig <jfehlig@suse.com>
+
+- admin: reject clients unless their UID matches the server UID
+  CVE-2019-10132
+  96f41cd7-admin-reject-clients.patch,
+  f111e094-locking-restrict-sockets-to-mode-0600.patch,
+  e37bd65f-logging-restrict-sockets-to-mode-0600.patch
+  bsc#1134348
+
 -------------------------------------------------------------------
 Mon May 20 21:50:28 UTC 2019 - James Fehlig <jfehlig@suse.com>
 

libvirt.spec

@@ -339,6 +339,9 @@ Source100:      %{name}-rpmlintrc
 # Upstream patches
 Patch0:         5cd9db3a-cputest-add-data-E3-1225-v5.patch
 Patch1:         538d8735-cpu_map-Define-md-clear-CPUID-bit.patch
+Patch2:         96f41cd7-admin-reject-clients.patch
+Patch3:         f111e094-locking-restrict-sockets-to-mode-0600.patch
+Patch4:         e37bd65f-logging-restrict-sockets-to-mode-0600.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@@ -874,6 +877,9 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1