- CVE-2014-7823: dumpxml: security hole with migratable flag

b1674ad5-CVE-2014-7823.patch
  bsc#904176

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=418

b1674ad5-CVE-2014-7823.patch

@@ -0,0 +1,57 @@
+commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
+Author: Eric Blake <eblake@redhat.com>
+Date:   Fri Oct 31 22:14:07 2014 -0600
+
+    CVE-2014-7823: dumpxml: security hole with migratable flag
+    
+    Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+    the qemu implementation of virDomainGetXMLDesc, the use of the
+    flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+    connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+    prior to calling qemuDomainFormatXML.  However, the use of
+    VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+    clients only.  This patch treats the migratable flag as requiring
+    the same permissions, rather than analyzing what might break if
+    migratable xml no longer includes secret information.
+    
+    Fortunately, the information leak is low-risk: all that is gated
+    by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+    but VNC passwords are already weak (FIPS forbids their use, and
+    on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+    password sent in plaintext over the network deserves what they
+    get).  SPICE offers better security than VNC, and all other
+    secrets are properly protected by use of virSecret associations
+    rather than direct output in domain XML.
+    
+    * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+    Tighten rules on use of migratable flag.
+    * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+    
+    Signed-off-by: Eric Blake <eblake@redhat.com>
+
+Index: libvirt-1.2.10/src/libvirt-domain.c
+===================================================================
+--- libvirt-1.2.10.orig/src/libvirt-domain.c
++++ libvirt-1.2.10/src/libvirt-domain.c
+@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain,
+     virCheckDomainReturn(domain, NULL);
+     conn = domain->conn;
+ 
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
++    if ((conn->flags & VIR_CONNECT_RO) &&
++        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+         virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+                        _("virDomainGetXMLDesc with secure flag"));
+         goto error;
+Index: libvirt-1.2.10/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-1.2.10.orig/src/remote/remote_protocol.x
++++ libvirt-1.2.10/src/remote/remote_protocol.x
+@@ -3255,6 +3255,7 @@ enum remote_procedure {
+      * @generate: both
+      * @acl: domain:read
+      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+      */
+     REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+ 

libvirt.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com
+
+- CVE-2014-7823: dumpxml: security hole with migratable flag
+  b1674ad5-CVE-2014-7823.patch
+  bsc#904176
+
 -------------------------------------------------------------------
 Mon Nov  3 11:08:49 MST 2014 - jfehlig@suse.com
 

libvirt.spec

@@ -434,6 +434,7 @@ Source3:        libvirtd.init
 Source4:        libvirtd-relocation-server.fw
 Source99:       baselibs.conf
 # Upstream patches
+Patch0:         b1674ad5-CVE-2014-7823.patch
 # Patches pending upstream review
 # Need to go upstream
 Patch150:       xen-name-for-devid.patch
@@ -965,6 +966,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
 
 %prep
 %setup -q
+%patch0 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1