SHA256
1
0
forked from pool/libvirt

- CVE-2014-7823: dumpxml: security hole with migratable flag

b1674ad5-CVE-2014-7823.patch
  bsc#904176

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=418
This commit is contained in:
James Fehlig 2014-11-11 05:03:23 +00:00 committed by Git OBS Bridge
parent 084e297a8a
commit d97b2f8ea8
3 changed files with 66 additions and 0 deletions

View File

@ -0,0 +1,57 @@
commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
Author: Eric Blake <eblake@redhat.com>
Date: Fri Oct 31 22:14:07 2014 -0600
CVE-2014-7823: dumpxml: security hole with migratable flag
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
the qemu implementation of virDomainGetXMLDesc, the use of the
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
prior to calling qemuDomainFormatXML. However, the use of
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
clients only. This patch treats the migratable flag as requiring
the same permissions, rather than analyzing what might break if
migratable xml no longer includes secret information.
Fortunately, the information leak is low-risk: all that is gated
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
but VNC passwords are already weak (FIPS forbids their use, and
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
password sent in plaintext over the network deserves what they
get). SPICE offers better security than VNC, and all other
secrets are properly protected by use of virSecret associations
rather than direct output in domain XML.
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
Tighten rules on use of migratable flag.
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
Index: libvirt-1.2.10/src/libvirt-domain.c
===================================================================
--- libvirt-1.2.10.orig/src/libvirt-domain.c
+++ libvirt-1.2.10/src/libvirt-domain.c
@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain,
virCheckDomainReturn(domain, NULL);
conn = domain->conn;
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+ if ((conn->flags & VIR_CONNECT_RO) &&
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
_("virDomainGetXMLDesc with secure flag"));
goto error;
Index: libvirt-1.2.10/src/remote/remote_protocol.x
===================================================================
--- libvirt-1.2.10.orig/src/remote/remote_protocol.x
+++ libvirt-1.2.10/src/remote/remote_protocol.x
@@ -3255,6 +3255,7 @@ enum remote_procedure {
* @generate: both
* @acl: domain:read
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
*/
REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com
- CVE-2014-7823: dumpxml: security hole with migratable flag
b1674ad5-CVE-2014-7823.patch
bsc#904176
-------------------------------------------------------------------
Mon Nov 3 11:08:49 MST 2014 - jfehlig@suse.com

View File

@ -434,6 +434,7 @@ Source3: libvirtd.init
Source4: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: b1674ad5-CVE-2014-7823.patch
# Patches pending upstream review
# Need to go upstream
Patch150: xen-name-for-devid.patch
@ -965,6 +966,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
%prep
%setup -q
%patch0 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1