Accepting request 704536 from home:jfehlig:branches:Virtualization

- admin: reject clients unless their UID matches the server UID CVE-2019-10132 96f41cd7-admin-reject-clients.patch, f111e094-locking-restrict-sockets-to-mode-0600.patch, e37bd65f-logging-restrict-sockets-to-mode-0600.patch bsc#1134348 OBS-URL: https://build.opensuse.org/request/show/704536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=756
2019-05-21 17:48:44 +00:00 · 2019-05-21 17:48:44 +00:00 · 9b252d2501
commit 9b252d2501
parent 30cdfb8cae
5 changed files with 146 additions and 0 deletions
--- a/96f41cd7-admin-reject-clients.patch
+++ b/96f41cd7-admin-reject-clients.patch
@ -0,0 +1,48 @@
+commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 17:26:13 2019 +0100
+
+    admin: reject clients unless their UID matches the current UID
+    
+    The admin protocol RPC messages are only intended for use by the user
+    running the daemon. As such they should not be allowed for any client
+    UID that does not match the server UID.
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/admin/admin_server_dispatch.c
+===================================================================
+--- libvirt-5.3.0.orig/src/admin/admin_server_dispatch.c
+++ libvirt-5.3.0/src/admin/admin_server_dispatch.c
+@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr
+                    void *opaque)
+ {
+     struct daemonAdmClientPrivate *priv;
+    uid_t clientuid;
+    gid_t clientgid;
+    pid_t clientpid;
+    unsigned long long timestamp;
+
+    if (virNetServerClientGetUNIXIdentity(client,
+                                          &clientuid,
+                                          &clientgid,
+                                          &clientpid,
+                                          &timestamp) < 0)
+        return NULL;
+
+    VIR_DEBUG("New client pid %lld uid %lld",
+              (long long)clientpid,
+              (long long)clientuid);
+
+    if (geteuid() != clientuid) {
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
+                                 (long long)clientpid,
+                                 (long long)clientuid);
+        return NULL;
+    }
+ 
+     if (VIR_ALLOC(priv) < 0)
+         return NULL;
--- a/e37bd65f-logging-restrict-sockets-to-mode-0600.patch
+++ b/e37bd65f-logging-restrict-sockets-to-mode-0600.patch
@ -0,0 +1,41 @@
+commit e37bd65f9948c1185456b2cdaa3bd6e875af680f
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 17:27:41 2019 +0100
+
+    logging: restrict sockets to mode 0600
+    
+    The virtlogd daemon's only intended client is the libvirtd daemon. As
+    such it should never allow clients from other user accounts to connect.
+    The code already enforces this and drops clients from other UIDs, but
+    we can get earlier (and thus stronger) protection against DoS by setting
+    the socket permissions to 0600
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/logging/virtlogd-admin.socket.in
+++ libvirt-5.3.0/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
+SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+Index: libvirt-5.3.0/src/logging/virtlogd.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/logging/virtlogd.socket.in
+++ libvirt-5.3.0/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
+SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
--- a/f111e094-locking-restrict-sockets-to-mode-0600.patch
+++ b/f111e094-locking-restrict-sockets-to-mode-0600.patch
@ -0,0 +1,41 @@
+commit f111e09468693909b1f067aa575efdafd9a262a1
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Apr 30 16:51:37 2019 +0100
+
+    locking: restrict sockets to mode 0600
+    
+    The virtlockd daemon's only intended client is the libvirtd daemon. As
+    such it should never allow clients from other user accounts to connect.
+    The code already enforces this and drops clients from other UIDs, but
+    we can get earlier (and thus stronger) protection against DoS by setting
+    the socket permissions to 0600
+    
+    Fixes CVE-2019-10132
+    
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Index: libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/locking/virtlockd-admin.socket.in
+++ libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
+SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+Index: libvirt-5.3.0/src/locking/virtlockd.socket.in
+===================================================================
+--- libvirt-5.3.0.orig/src/locking/virtlockd.socket.in
+++ libvirt-5.3.0/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
+SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue May 21 17:15:09 UTC 2019 - James Fehlig <jfehlig@suse.com>
+
+- admin: reject clients unless their UID matches the server UID
+  CVE-2019-10132
+  96f41cd7-admin-reject-clients.patch,
+  f111e094-locking-restrict-sockets-to-mode-0600.patch,
+  e37bd65f-logging-restrict-sockets-to-mode-0600.patch
+  bsc#1134348
+
 -------------------------------------------------------------------
 Mon May 20 21:50:28 UTC 2019 - James Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -339,6 +339,9 @@ Source100:      %{name}-rpmlintrc
 # Upstream patches
 Patch0:         5cd9db3a-cputest-add-data-E3-1225-v5.patch
 Patch1:         538d8735-cpu_map-Define-md-clear-CPUID-bit.patch
+Patch2:         96f41cd7-admin-reject-clients.patch
+Patch3:         f111e094-locking-restrict-sockets-to-mode-0600.patch
+Patch4:         e37bd65f-logging-restrict-sockets-to-mode-0600.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -874,6 +877,9 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1