diff --git a/441d3eb6-qemu-tls-client-verify-server-cert.patch b/441d3eb6-qemu-tls-client-verify-server-cert.patch new file mode 100644 index 0000000..35f8254 --- /dev/null +++ b/441d3eb6-qemu-tls-client-verify-server-cert.patch @@ -0,0 +1,67 @@ +commit 441d3eb6d1be940a67ce45a286602a967601b157 +Author: Daniel P. Berrange +Date: Thu Oct 5 17:54:28 2017 +0100 + + qemu: ensure TLS clients always verify the server certificate + + The default_tls_x509_verify (and related) parameters in qemu.conf + control whether the QEMU TLS servers request & verify certificates + from clients. This works as a simple access control system for + servers by requiring the CA to issue certs to permitted clients. + This use of client certificates is disabled by default, since it + requires extra work to issue client certificates. + + Unfortunately the code was using this configuration parameter when + setting up both TLS clients and servers in QEMU. The result was that + TLS clients for character devices and disk devices had verification + turned off, meaning they would ignore errors while validating the + server certificate. + + This allows for trivial MITM attacks between client and server, + as any certificate returned by the attacker will be accepted by + the client. + + This is assigned CVE-2017-1000256 / LSN-2017-0002 + + Reviewed-by: Eric Blake + Signed-off-by: Daniel P. Berrange + +Index: libvirt-3.8.0/src/qemu/qemu_command.c +=================================================================== +--- libvirt-3.8.0.orig/src/qemu/qemu_command.c ++++ libvirt-3.8.0/src/qemu/qemu_command.c +@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char + if (virJSONValueObjectCreate(propsret, + "s:dir", path, + "s:endpoint", (isListen ? "server": "client"), +- "b:verify-peer", verifypeer, ++ "b:verify-peer", (isListen ? verifypeer : true), + NULL) < 0) + goto cleanup; + +Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +=================================================================== +--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args ++++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +@@ -26,7 +26,7 @@ server,nowait \ + localport=1111 \ + -device isa-serial,chardev=charserial0,id=serial0 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no \ ++endpoint=client,verify-peer=yes \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +=================================================================== +--- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args ++++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +@@ -31,7 +31,7 @@ localport=1111 \ + data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ + keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ ++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ diff --git a/libvirt.changes b/libvirt.changes index 2a70c4f..d8e8fc8 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Mon Oct 16 22:02:16 UTC 2017 - jfehlig@suse.com + +- qemu: ensure TLS clients always verify the server certificate + CVE-2017-1000256 + 441d3eb6-qemu-tls-client-verify-server-cert.patch + bsc#1062563 + +------------------------------------------------------------------- +Thu Oct 12 23:25:48 UTC 2017 - jengelh@inai.de + +- Do not ignore errors from useradd/groupadd. +- Invoke/expand %service_* just once per scriptlet. +- Replace some old macros. + +------------------------------------------------------------------- +Tue Oct 10 19:50:22 UTC 2017 - jfehlig@suse.com + +- spec: libvirt-daemon-qemu requires libvirt-daemon-driver-storage + bsc#1062620 + +------------------------------------------------------------------- +Mon Oct 9 16:34:50 UTC 2017 - jfehlig@suse.com + +- spec: reload libvirtd Apparmor profile in %post + bsc#1060860 + ------------------------------------------------------------------- Fri Oct 6 22:46:12 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 416618e..c3e7e17 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -251,6 +251,7 @@ BuildRequires: libnl3-devel BuildRequires: libpcap-devel BuildRequires: libselinux-devel %if %{with_apparmor} +BuildRequires: apparmor-rpm-macros BuildRequires: libapparmor-devel %endif BuildRequires: dnsmasq >= 2.41 @@ -310,6 +311,7 @@ Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches Patch0: c44b29aa-apparmor-dnsmasq-ptrace.patch +Patch1: 441d3eb6-qemu-tls-client-verify-server-cert.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -703,6 +705,7 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-qemu = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} +Requires: libvirt-daemon-driver-storage = %{version}-%{release} %description daemon-qemu Server side daemon and driver required to manage the virtualization @@ -884,6 +887,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %prep %setup -q %patch0 -p1 +%patch1 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1 @@ -1103,8 +1107,8 @@ make V=1 %{?_smp_mflags} HTML_DIR=%{_docdir}/%{name} gzip -9 ChangeLog %install -%makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name} -make %{?jobs:-j%jobs} -C examples distclean +%make_install SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name} +make %{?_smp_mflags} -C examples distclean cp examples/lxcconvert/virt-lxc-convert %{buildroot}/%{_bindir} rm -f %{buildroot}/%{_libdir}/*.la %if %{with_wireshark} @@ -1243,34 +1247,30 @@ do rm -f $i printf 'int main(void) { return 0; }' > $i.c done -make %{?jobs:-j%jobs} +make %{?_smp_mflags} -if ! make %{?jobs:-j%jobs} check VIR_TEST_DEBUG=1 +if ! make %{?_smp_mflags} check VIR_TEST_DEBUG=1 then cat test-suite.log || true exit 1 fi %pre daemon -%service_add_pre libvirtd.service -%service_add_pre virtlockd.service virtlockd.socket -%service_add_pre virtlogd.service virtlogd.socket -%{_bindir}/getent group libvirt >/dev/null || \ - %{_sbindir}/groupadd -r libvirt || : +%{_bindir}/getent group libvirt >/dev/null || %{_sbindir}/groupadd -r libvirt +%service_add_pre libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %post daemon /sbin/ldconfig -%service_add_post libvirtd.service -%service_add_post virtlockd.service virtlockd.socket -%service_add_post virtlogd.service virtlogd.socket +%if %{with_apparmor} +%apparmor_reload /etc/apparmor.d/usr.sbin.libvirtd +%endif +%service_add_post libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %{fillup_only -n libvirtd} %{fillup_only -n virtlockd} %{fillup_only -n virtlogd} %preun daemon -%service_del_preun libvirtd.service -%service_del_preun virtlockd.service virtlockd.socket -%service_del_preun virtlogd.service virtlogd.socket +%service_del_preun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %postun daemon /sbin/ldconfig @@ -1281,9 +1281,7 @@ if test $1 -eq 0 ; then done /usr/bin/systemctl daemon-reload >/dev/null 2>&1 || : fi - %service_del_postun libvirtd.service - %service_del_postun virtlockd.service virtlockd.socket - %service_del_postun virtlogd.service virtlogd.socket + %service_del_postun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %posttrans daemon # All connection drivers should be installed post transaction.