From de9807d650910149cced93bc1eb26b89f9d87c6b257d1887146b8a778205ece9 Mon Sep 17 00:00:00 2001
From: James Fehlig <jfehlig@suse.com>
Date: Tue, 15 Mar 2011 15:39:58 +0000
Subject: [PATCH] VUL-0: libvirt: several API calls do not honour read-only

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=105
---
 71753cb7-CVE-2011-1146.patch | 93 ++++++++++++++++++++++++++++++++++++
 libvirt.changes              |  8 ++++
 libvirt.spec                 |  2 +
 3 files changed, 103 insertions(+)
 create mode 100644 71753cb7-CVE-2011-1146.patch

diff --git a/71753cb7-CVE-2011-1146.patch b/71753cb7-CVE-2011-1146.patch
new file mode 100644
index 0000000..e3010c6
--- /dev/null
+++ b/71753cb7-CVE-2011-1146.patch
@@ -0,0 +1,93 @@
+commit 71753cb7f7a16ff800381c0b5ee4e99eea92fed3
+Author: Guido Günther <agx@sigxcpu.org>
+Date:   Mon Mar 14 10:56:28 2011 +0800
+
+    Add missing checks for read only connections
+    
+    As pointed on CVE-2011-1146, some API forgot to check the read-only
+    status of the connection for entry point which modify the state
+    of the system or may lead to a remote execution using user data.
+    The entry points concerned are:
+      - virConnectDomainXMLToNative
+      - virNodeDeviceDettach
+      - virNodeDeviceReAttach
+      - virNodeDeviceReset
+      - virDomainRevertToSnapshot
+      - virDomainSnapshotDelete
+    
+    * src/libvirt.c: fix the above set of entry points to error on read-only
+                     connections
+
+Index: libvirt-0.8.8/src/libvirt.c
+===================================================================
+--- libvirt-0.8.8.orig/src/libvirt.c
++++ libvirt-0.8.8/src/libvirt.c
+@@ -3152,6 +3152,10 @@ char *virConnectDomainXMLToNative(virCon
+         virDispatchError(NULL);
+         return NULL;
+     }
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (nativeFormat == NULL || domainXml == NULL) {
+         virLibConnError(VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9579,6 +9583,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
+         return -1;
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceDettach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9622,6 +9631,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
+         return -1;
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReAttach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9667,6 +9681,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+         return -1;
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReset) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12962,6 +12981,10 @@ virDomainRevertToSnapshot(virDomainSnaps
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainRevertToSnapshot) {
+         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -13008,6 +13031,10 @@ virDomainSnapshotDelete(virDomainSnapsho
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainSnapshotDelete) {
+         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
diff --git a/libvirt.changes b/libvirt.changes
index f5e9016..a75defc 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 15 09:37:20 MDT 2011 - jfehlig@novell.com
+
+- VUL-0: libvirt: several API calls do not honour read-only
+  connection
+  71753cb7-CVE-2011-1146.patch
+  bnc#678406
+
 -------------------------------------------------------------------
 Mon Mar  7 11:47:17 MST 2011 - jfehlig@novell.com
 
diff --git a/libvirt.spec b/libvirt.spec
index 996de02..a515e20 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -170,6 +170,7 @@ Source0:        %{name}-%{version}.tar.bz2
 Source1:        libvirtd.init
 # Upstream patches
 Patch0:         efc2594b-boot-param.patch
+Patch1:         71753cb7-CVE-2011-1146.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch102:       clone.patch
@@ -285,6 +286,7 @@ Authors:
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 %patch100 -p1
 %patch102
 %patch103 -p1