- CVE-2013-4400: Unsantized use of env variables allows privilege

escalation via virt-login-shell ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch, b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch, CVE-2013-4400-build-fix.patch bnc#837609 - CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native 57687fd6-CVE-2013-4401.patch bnc#845704 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=315
2013-10-21 21:49:57 +00:00 · 2013-10-21 21:49:57 +00:00 · fffa5dcc99
commit fffa5dcc99
parent c27ca0ddd7
9 changed files with 666 additions and 5 deletions
--- a/3e2f27e1-CVE-2013-4400.patch
+++ b/3e2f27e1-CVE-2013-4400.patch
@ -0,0 +1,354 @@
+commit 3e2f27e13b94f7302ad948bcacb5e02c859a25fc
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Thu Oct 10 13:09:08 2013 +0100
+
+    Don't link virt-login-shell against libvirt.so (CVE-2013-4400)
+    
+    The libvirt.so library has far too many library deps to allow
+    linking against it from setuid programs. Those libraries can
+    do stuff in __attribute__((constructor) functions which is
+    not setuid safe.
+    
+    The virt-login-shell needs to link directly against individual
+    files that it uses, with all library deps turned off except
+    for libxml2 and libselinux.
+    
+    Create a libvirt-setuid-rpc-client.la library which is linked
+    to by virt-login-shell. A config-post.h file allows this library
+    to disable all external deps except libselinux and libxml2.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/Makefile.am
+++ libvirt-1.1.2/Makefile.am
+@@ -31,6 +31,7 @@ XML_EXAMPLES = \
+ 					test/*.xml storage/*.xml)))
+ 
+ EXTRA_DIST = \
+  config-post.h \
+   ChangeLog-old \
+   libvirt.spec libvirt.spec.in \
+   mingw-libvirt.spec.in \
+Index: libvirt-1.1.2/config-post.h
+===================================================================
+--- /dev/null
+++ libvirt-1.1.2/config-post.h
+@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Since virt-login-shell will be setuid, we must do everything
+ * we can to avoid linking to other libraries. Many of them do
+ * unsafe things in functions marked __atttribute__((constructor)).
+ * The only way avoid to avoid such deps is to re-compile the
+ * functions with the code in question disabled, and for that we
+ * must override the main config.h rules. Hence this file :-(
+ */
+
+#ifdef LIBVIRT_SETUID_RPC_CLIENT
+# undef HAVE_LIBDEVMAPPER_H
+# undef HAVE_LIBNL
+# undef HAVE_LIBNL3
+# undef HAVE_LIBSASL2
+# undef WITH_CAPNG
+# undef WITH_CURL
+# undef WITH_DTRACE_PROBES
+# undef WITH_GNUTLS
+# undef WITH_MACVTAP
+# undef WITH_NUMACTL
+# undef WITH_SASL
+# undef WITH_SSH2
+# undef WITH_VIRTUALPORT
+# undef WITH_YAJL
+# undef WITH_YAJL2
+#endif
+Index: libvirt-1.1.2/configure.ac
+===================================================================
+--- libvirt-1.1.2.orig/configure.ac
+++ libvirt-1.1.2/configure.ac
+@@ -20,6 +20,7 @@ AC_INIT([libvirt], [1.1.2], [libvir-list
+ AC_CONFIG_SRCDIR([src/libvirt.c])
+ AC_CONFIG_AUX_DIR([build-aux])
+ AC_CONFIG_HEADERS([config.h])
+AH_BOTTOM([#include <config-post.h>])
+ AC_CONFIG_MACRO_DIR([m4])
+ dnl Make automake keep quiet about wildcards & other GNUmake-isms
+ AM_INIT_AUTOMAKE([-Wno-portability tar-ustar])
+Index: libvirt-1.1.2/daemon/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/daemon/Makefile.am
+++ libvirt-1.1.2/daemon/Makefile.am
+@@ -18,6 +18,7 @@
+ 
+ INCLUDES = \
+ 	-I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+	-I$(top_srcdir) \
+ 	-I$(top_builddir)/include -I$(top_srcdir)/include \
+ 	-I$(top_builddir)/src -I$(top_srcdir)/src \
+ 	-I$(top_srcdir)/src/util \
+Index: libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/examples/domain-events/events-c/Makefile.am
+++ libvirt-1.1.2/examples/domain-events/events-c/Makefile.am
+@@ -15,7 +15,8 @@
+ ## <http://www.gnu.org/licenses/>.
+ 
+ INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include \
+-	   -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib
+	   -I$(top_builddir)/gnulib/lib -I$(top_srcdir)/gnulib/lib \
+	   -I$(top_srcdir)
+ noinst_PROGRAMS = event-test
+ event_test_CFLAGS = $(WARN_CFLAGS)
+ event_test_SOURCES = event-test.c
+Index: libvirt-1.1.2/examples/hellolibvirt/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/examples/hellolibvirt/Makefile.am
+++ libvirt-1.1.2/examples/hellolibvirt/Makefile.am
+@@ -14,7 +14,7 @@
+ ## License along with this library.  If not, see
+ ## <http://www.gnu.org/licenses/>.
+ 
+-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
+ noinst_PROGRAMS = hellolibvirt
+ hellolibvirt_CFLAGS = $(WARN_CFLAGS)
+ hellolibvirt_SOURCES = hellolibvirt.c
+Index: libvirt-1.1.2/examples/openauth/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/examples/openauth/Makefile.am
+++ libvirt-1.1.2/examples/openauth/Makefile.am
+@@ -14,7 +14,7 @@
+ ## License along with this library.  If not, see
+ ## <http://www.gnu.org/licenses/>.
+ 
+-INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include
+INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)
+ noinst_PROGRAMS = openauth
+ openauth_CFLAGS = $(WARN_CFLAGS)
+ openauth_SOURCES = openauth.c
+Index: libvirt-1.1.2/gnulib/lib/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/gnulib/lib/Makefile.am
+++ libvirt-1.1.2/gnulib/lib/Makefile.am
+@@ -27,4 +27,4 @@ noinst_LTLIBRARIES =
+ 
+ include gnulib.mk
+ 
+-INCLUDES = $(GETTEXT_CPPFLAGS)
+INCLUDES = -I$(top_srcdir) $(GETTEXT_CPPFLAGS)
+Index: libvirt-1.1.2/python/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/python/Makefile.am
+++ libvirt-1.1.2/python/Makefile.am
+@@ -20,6 +20,7 @@ INCLUDES = \
+ 	$(PYTHON_INCLUDES) \
+ 	-I$(top_builddir)/gnulib/lib \
+ 	-I$(top_srcdir)/gnulib/lib \
+	-I$(top_srcdir) \
+ 	-I$(top_builddir)/src \
+ 	-I$(top_srcdir)/src \
+ 	-I$(top_srcdir)/src/util \
+Index: libvirt-1.1.2/src/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
+@@ -21,6 +21,7 @@
+ # that actually use them. Also keep GETTEXT_CPPFLAGS at the end.
+ INCLUDES =	-I../gnulib/lib					\
+ 		-I$(top_srcdir)/gnulib/lib			\
+		-I$(top_srcdir)					\
+ 		-I../include					\
+ 		-I$(top_srcdir)/include				\
+ 		-I$(top_srcdir)/src/util			\
+@@ -1917,6 +1918,77 @@ libvirt_lxc_la_LDFLAGS = \
+ libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
+ libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
+ 
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This library is built to include the bare minimum required to
+# have a RPC client for local UNIX socket access only. We use
+# the ../config-post.h header to disable all external deps that
+# we don't want
+if WITH_LXC
+noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la
+
+libvirt_setuid_rpc_client_la_SOURCES = 		\
+		util/viralloc.c			\
+		util/virbitmap.c		\
+		util/virbuffer.c		\
+		util/vircommand.c		\
+		util/virconf.c			\
+		util/virerror.c			\
+		util/virevent.c			\
+		util/vireventpoll.c		\
+		util/virfile.c			\
+		util/virhash.c			\
+		util/virhashcode.c		\
+		util/virjson.c			\
+		util/virlog.c			\
+		util/virobject.c		\
+		util/virpidfile.c		\
+		util/virprocess.c		\
+		util/virrandom.c		\
+		util/virsocketaddr.c		\
+		util/virstoragefile.c		\
+		util/virstring.c		\
+		util/virtime.c			\
+		util/virthread.c		\
+		util/virtypedparam.c		\
+		util/viruri.c			\
+		util/virutil.c			\
+		util/viruuid.c			\
+		conf/domain_event.c		\
+		rpc/virnetsocket.c		\
+		rpc/virnetsocket.h		\
+		rpc/virnetmessage.h		\
+		rpc/virnetmessage.c		\
+		rpc/virkeepalive.c		\
+		rpc/virkeepalive.h		\
+		rpc/virnetclient.c		\
+		rpc/virnetclientprogram.c	\
+		rpc/virnetclientstream.c	\
+		rpc/virnetprotocol.c		\
+		remote/remote_driver.c		\
+		remote/remote_protocol.c	\
+		remote/qemu_protocol.c		\
+		remote/lxc_protocol.c		\
+		datatypes.c			\
+		libvirt.c			\
+		libvirt-lxc.c			\
+		$(NULL)
+
+libvirt_setuid_rpc_client_la_LDFLAGS =		\
+		$(AM_LDFLAGS)			\
+		$(LIBXML_LIBS)			\
+		$(SELINUX_LIBS)			\
+		$(NULL)
+libvirt_setuid_rpc_client_la_CFLAGS =		\
+		-DLIBVIRT_SETUID_RPC_CLIENT	\
+		-I$(top_srcdir)/src/conf	\
+		-I$(top_srcdir)/src/rpc		\
+		$(AM_CFLAGS)			\
+		$(SELINUX_CFLAGS)		\
+		$(NULL)
+endif WITH_LXC
+
+ lockdriverdir = $(libdir)/libvirt/lock-driver
+ lockdriver_LTLIBRARIES =
+ 
+Index: libvirt-1.1.2/src/libvirt.c
+===================================================================
+--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
+@@ -446,40 +446,46 @@ virGlobalInit(void)
+         goto error;
+ 
+     /*
+     * Note we must avoid everything except 'remote' driver
+     * for virt-login-shell usage
+     */
+#ifndef LIBVIRT_SETUID_RPC_CLIENT
+    /*
+      * Note that the order is important: the first ones have a higher
+      * priority when calling virConnectOpen.
+      */
+-#ifdef WITH_TEST
+# ifdef WITH_TEST
+     if (testRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_OPENVZ
+# endif
+# ifdef WITH_OPENVZ
+     if (openvzRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_VMWARE
+# endif
+# ifdef WITH_VMWARE
+     if (vmwareRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_PHYP
+# endif
+# ifdef WITH_PHYP
+     if (phypRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_ESX
+# endif
+# ifdef WITH_ESX
+     if (esxRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_HYPERV
+# endif
+# ifdef WITH_HYPERV
+     if (hypervRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_XENAPI
+# endif
+# ifdef WITH_XENAPI
+     if (xenapiRegister() == -1)
+         goto error;
+-#endif
+-#ifdef WITH_PARALLELS
+# endif
+# ifdef WITH_PARALLELS
+     if (parallelsRegister() == -1)
+         goto error;
+# endif
+ #endif
+ #ifdef WITH_REMOTE
+     if (remoteRegister() == -1)
+Index: libvirt-1.1.2/tools/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/tools/Makefile.am
+++ libvirt-1.1.2/tools/Makefile.am
+@@ -149,6 +149,11 @@ virt_host_validate_CFLAGS = \
+ 		$(COVERAGE_CFLAGS)				\
+ 		$(NULL)
+ 
+# Since virt-login-shell will be setuid, we must do everything
+# we can to avoid linking to other libraries. Many of them do
+# unsafe things in functions marked __atttribute__((constructor)).
+# This we statically link to a library containing only the minimal
+# libvirt client code, not libvirt.so itself.
+ virt_login_shell_SOURCES =					\
+ 		virt-login-shell.c
+ 
+@@ -159,11 +164,11 @@ virt_login_shell_LDFLAGS = \
+ virt_login_shell_LDADD =					\
+ 		$(STATIC_BINARIES)				\
+ 		$(PIE_LDFLAGS)					\
+-		../src/libvirt.la				\
+-		../src/libvirt-lxc.la				\
+		../src/libvirt-setuid-rpc-client.la		\
+ 		../gnulib/lib/libgnu.la
+ 
+ virt_login_shell_CFLAGS =					\
+		-DLIBVIRT_SETUID_RPC_CLIENT			\
+ 		$(WARN_CFLAGS)					\
+ 		$(PIE_CFLAGS)					\
+ 		$(COVERAGE_CFLAGS)
--- a/57687fd6-CVE-2013-4401.patch
+++ b/57687fd6-CVE-2013-4401.patch
@ -0,0 +1,52 @@
+commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Thu Oct 3 16:37:57 2013 +0100
+
+    Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)
+    
+    The virConnectDomainXMLToNative API should require 'connect:write'
+    not 'connect:read', since it will trigger execution of the QEMU
+    binaries listed in the XML.
+    
+    Also make virConnectDomainXMLFromNative API require a full
+    read-write connection and 'connect:write' permission. Although the
+    current impl doesn't trigger execution of QEMU, we should not
+    rely on that impl detail from an API permissioning POV.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/src/libvirt.c
+===================================================================
+--- libvirt-1.1.2.orig/src/libvirt.c
+++ libvirt-1.1.2/src/libvirt.c
+@@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virC
+         virDispatchError(NULL);
+         return NULL;
+     }
+    if (conn->flags & VIR_CONNECT_RO) {
+        virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
+ 
+     virCheckNonNullArgGoto(nativeFormat, error);
+     virCheckNonNullArgGoto(nativeConfig, error);
+Index: libvirt-1.1.2/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-1.1.2.orig/src/remote/remote_protocol.x
+++ libvirt-1.1.2/src/remote/remote_protocol.x
+@@ -3812,13 +3812,13 @@ enum remote_procedure {
+ 
+     /**
+      * @generate: both
+-     * @acl: connect:read
+     * @acl: connect:write
+      */
+     REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
+ 
+     /**
+      * @generate: both
+-     * @acl: connect:read
+     * @acl: connect:write
+      */
+     REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,
+ 
--- a/8c3586ea-CVE-2013-4400.patch
+++ b/8c3586ea-CVE-2013-4400.patch
@ -0,0 +1,61 @@
+commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Wed Oct 9 10:59:36 2013 +0100
+
+    Only allow 'stderr' log output when running setuid (CVE-2013-4400)
+    
+    We must not allow file/syslog/journald log outputs when running
+    setuid since they can be abused to do bad things. In particular
+    the 'file' output can be used to overwrite files.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/src/util/virlog.c
+===================================================================
+--- libvirt-1.1.2.orig/src/util/virlog.c
+++ libvirt-1.1.2/src/util/virlog.c
+@@ -1318,6 +1318,9 @@ int virLogPriorityFromSyslog(int priorit
+  * Multiple output can be defined in a single @output, they just need to be
+  * separated by spaces.
+  *
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
+  * Returns the number of output parsed and installed or -1 in case of error
+  */
+ int
+@@ -1329,6 +1332,7 @@ virLogParseOutputs(const char *outputs)
+     virLogPriority prio;
+     int ret = -1;
+     int count = 0;
+    bool isSUID = virIsSUID();
+ 
+     if (cur == NULL)
+         return -1;
+@@ -1348,6 +1352,8 @@ virLogParseOutputs(const char *outputs)
+             if (virLogAddOutputToStderr(prio) == 0)
+                 count++;
+         } else if (STREQLEN(cur, "syslog", 6)) {
+            if (isSUID)
+                goto cleanup;
+             cur += 6;
+             if (*cur != ':')
+                 goto cleanup;
+@@ -1365,6 +1371,8 @@ virLogParseOutputs(const char *outputs)
+             VIR_FREE(name);
+ #endif /* HAVE_SYSLOG_H */
+         } else if (STREQLEN(cur, "file", 4)) {
+            if (isSUID)
+                goto cleanup;
+             cur += 4;
+             if (*cur != ':')
+                 goto cleanup;
+@@ -1385,6 +1393,8 @@ virLogParseOutputs(const char *outputs)
+             VIR_FREE(name);
+             VIR_FREE(abspath);
+         } else if (STREQLEN(cur, "journald", 8)) {
+            if (isSUID)
+                goto cleanup;
+             cur += 8;
+ #if USE_JOURNALD
+             if (virLogAddOutputToJournald(prio) == 0)
--- a/CVE-2013-4400-build-fix.patch
+++ b/CVE-2013-4400-build-fix.patch
@ -0,0 +1,37 @@
+commit a6f05b5fdf139aa7155b64b2b581ff88151fbfca
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Mon Oct 21 14:57:27 2013 -0600
+
+    build: fix virt-login-shell build with apparmor
+    
+    With libapparmor-devel installed, virt-login-shell fails to link
+    
+    CCLD     virt-login-shell
+    ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
+    /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
+    collect2: error: ld returned 1 exit status
+    
+    Fix by linking libvirt_setuid_rpc_client with previously determined
+    SECDRIVER_LIBS in src/Makefile.am.
+
+Index: libvirt-1.1.2/src/Makefile.am
+===================================================================
+--- libvirt-1.1.2.orig/src/Makefile.am
+++ libvirt-1.1.2/src/Makefile.am
+@@ -1978,7 +1978,7 @@ libvirt_setuid_rpc_client_la_SOURCES =
+ libvirt_setuid_rpc_client_la_LDFLAGS =		\
+ 		$(AM_LDFLAGS)			\
+ 		$(LIBXML_LIBS)			\
+-		$(SELINUX_LIBS)			\
+		$(SECDRIVER_LIBS)		\
+ 		$(NULL)
+ libvirt_setuid_rpc_client_la_CFLAGS =		\
+ 		-DLIBVIRT_SETUID_RPC_CLIENT	\
+@@ -1986,6 +1986,7 @@ libvirt_setuid_rpc_client_la_CFLAGS =		\
+ 		-I$(top_srcdir)/src/rpc		\
+ 		$(AM_CFLAGS)			\
+ 		$(SELINUX_CFLAGS)		\
+		$(APPARMOR_CFLAGS)		\
+ 		$(NULL)
+ endif WITH_LXC
+ 
--- a/ae53e5d1-CVE-2013-4400.patch
+++ b/ae53e5d1-CVE-2013-4400.patch
@ -0,0 +1,96 @@
+commit ae53e5d10e434e07079d7e3ba11ec654ba6a256e
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Wed Oct 9 10:52:39 2013 +0100
+
+    Add helpers for getting env vars in a setuid environment
+    
+    Care must be taken accessing env variables when running
+    setuid. Introduce a virGetEnvAllowSUID for env vars which
+    are safe to use in a setuid environment, and another
+    virGetEnvBlockSUID for vars which are not safe. Also add
+    a virIsSUID helper method for any other non-env var code
+    to use.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/src/libvirt_private.syms
+===================================================================
+--- libvirt-1.1.2.orig/src/libvirt_private.syms
+++ libvirt-1.1.2/src/libvirt_private.syms
+@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport;
+ virFormatIntDecimal;
+ virGetDeviceID;
+ virGetDeviceUnprivSGIO;
+virGetEnvAllowSUID;
+virGetEnvBlockSUID;
+ virGetFCHostNameByWWN;
+ virGetGroupID;
+ virGetGroupList;
+@@ -2060,6 +2062,7 @@ virIndexToDiskName;
+ virIsCapableFCHost;
+ virIsCapableVport;
+ virIsDevMapperDevice;
+virIsSUID;
+ virManageVport;
+ virParseNumber;
+ virParseOwnershipIds;
+Index: libvirt-1.1.2/src/util/virutil.c
+===================================================================
+--- libvirt-1.1.2.orig/src/util/virutil.c
+++ libvirt-1.1.2/src/util/virutil.c
+@@ -2116,3 +2116,42 @@ cleanup:
+ 
+     return rc;
+ }
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is unsafe to
+ * use when running setuid. If running setuid, a NULL
+ * value will be returned
+ */
+const char *virGetEnvBlockSUID(const char *name)
+{
+    return secure_getenv(name);
+}
+
+
+/**
+ * virGetEnvBlockSUID:
+ * @name: the environment variable name
+ *
+ * Obtain an environment variable which is safe to
+ * use when running setuid. The value will be returned
+ * even when running setuid
+ */
+const char *virGetEnvAllowSUID(const char *name)
+{
+    return getenv(name);
+}
+
+
+/**
+ * virIsSUID:
+ * Return a true value if running setuid. Does not
+ * check for elevated capabilities bits.
+ */
+bool virIsSUID(void)
+{
+    return getuid() != geteuid();
+}
+Index: libvirt-1.1.2/src/util/virutil.h
+===================================================================
+--- libvirt-1.1.2.orig/src/util/virutil.h
+++ libvirt-1.1.2/src/util/virutil.h
+@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long l
+ 
+ int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr);
+ 
+const char *virGetEnvBlockSUID(const char *name);
+const char *virGetEnvAllowSUID(const char *name);
+bool virIsSUID(void);
+
+ #endif /* __VIR_UTIL_H__ */
--- a/b7fcc799a-CVE-2013-4400.patch
+++ b/b7fcc799a-CVE-2013-4400.patch
@ -0,0 +1,36 @@
+commit b7fcc799ad5d8f3e55b89b94e599903e3c092467
+Author: Daniel P. Berrange <berrange@redhat.com>
+Date:   Wed Oct 9 15:14:34 2013 +0100
+
+    Close all non-stdio FDs in virt-login-shell (CVE-2013-4400)
+    
+    We don't want to inherit any FDs in the new namespace
+    except for the stdio FDs. Explicitly close them all,
+    just in case some do not have the close-on-exec flag
+    set.
+    
+    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+Index: libvirt-1.1.2/tools/virt-login-shell.c
+===================================================================
+--- libvirt-1.1.2.orig/tools/virt-login-shell.c
+++ libvirt-1.1.2/tools/virt-login-shell.c
+@@ -313,6 +313,18 @@ main(int argc, char **argv)
+     if (cpid == 0) {
+         pid_t ccpid;
+ 
+        int openmax = sysconf(_SC_OPEN_MAX);
+        int fd;
+        if (openmax < 0) {
+            virReportSystemError(errno,  "%s",
+                                 _("sysconf(_SC_OPEN_MAX) failed"));
+            return EXIT_FAILURE;
+        }
+        for (fd = 3; fd < openmax; fd++) {
+            int tmpfd = fd;
+            VIR_MASS_CLOSE(tmpfd);
+        }
+
+         /* Fork once because we don't want to affect
+          * virt-login-shell's namespace itself
+          */
--- a/libvirt-suse-netcontrol.patch
+++ b/libvirt-suse-netcontrol.patch
@ -2,7 +2,7 @@ Index: libvirt-1.1.2/configure.ac
 ===================================================================
 --- libvirt-1.1.2.orig/configure.ac
 +++ libvirt-1.1.2/configure.ac
-@@ -173,6 +173,7 @@ LIBVIRT_CHECK_DBUS
+@@ -174,6 +174,7 @@ LIBVIRT_CHECK_DBUS
 LIBVIRT_CHECK_FUSE
 LIBVIRT_CHECK_HAL
 LIBVIRT_CHECK_NETCF
@ -10,7 +10,7 @@ Index: libvirt-1.1.2/configure.ac
 LIBVIRT_CHECK_NUMACTL
 LIBVIRT_CHECK_OPENWSMAN
 LIBVIRT_CHECK_PCIACCESS
-@@ -2296,11 +2297,12 @@ if test "$with_libvirtd" = "no" ; then
+@@ -2297,11 +2298,12 @@ if test "$with_libvirtd" = "no" ; then
   with_interface=no
 fi
 
@ -26,7 +26,7 @@ Index: libvirt-1.1.2/configure.ac
 esac
 
 if test "$with_interface" = "yes" ; then
-@@ -2608,6 +2610,7 @@ LIBVIRT_RESULT_DBUS
+@@ -2609,6 +2611,7 @@ LIBVIRT_RESULT_DBUS
 LIBVIRT_RESULT_FUSE
 LIBVIRT_RESULT_HAL
 LIBVIRT_RESULT_NETCF
@ -38,7 +38,7 @@ Index: libvirt-1.1.2/src/Makefile.am
 ===================================================================
 --- libvirt-1.1.2.orig/src/Makefile.am
 +++ libvirt-1.1.2/src/Makefile.am
-@@ -750,6 +750,10 @@ if WITH_NETCF
+@@ -751,6 +751,10 @@ if WITH_NETCF
 INTERFACE_DRIVER_SOURCES +=					\
 		interface/interface_backend_netcf.c
 endif
@ -49,7 +49,7 @@ Index: libvirt-1.1.2/src/Makefile.am
 if WITH_UDEV
 INTERFACE_DRIVER_SOURCES +=					\
 		interface/interface_backend_udev.c
-@@ -1310,11 +1314,16 @@ if WITH_NETCF
+@@ -1311,11 +1315,16 @@ if WITH_NETCF
 libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
 libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
 else
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Oct 21 11:33:03 MDT 2013 - jfehlig@suse.com
+
+- CVE-2013-4400: Unsantized use of env variables allows privilege
+  escalation via virt-login-shell
+  ae53e5d1-CVE-2013-4400.patch, 8c3586ea-CVE-2013-4400.patch,
+  b7fcc799a-CVE-2013-4400.patch, 3e2f27e1-CVE-2013-4400.patch,
+  CVE-2013-4400-build-fix.patch
+  bnc#837609
+- CVE-2013-4401: Fix perms for virConnectDomainXML{To,From}Native
+  57687fd6-CVE-2013-4401.patch
+  bnc#845704
+
 -------------------------------------------------------------------
 Fri Oct 18 14:42:39 MDT 2013 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -412,10 +412,16 @@ Patch5:         e4697b92-CVE-2013-4311.patch
 Patch6:         8294aa0c-CVE-2013-4399.patch
 Patch7:         484cc321-fix-spice-migration.patch
 Patch8:         79552754-libvirtd-chardev-crash.patch
+Patch9:         57687fd6-CVE-2013-4401.patch
+Patch10:        ae53e5d1-CVE-2013-4400.patch
+Patch11:        8c3586ea-CVE-2013-4400.patch
+Patch12:        b7fcc799a-CVE-2013-4400.patch
+Patch13:        3e2f27e1-CVE-2013-4400.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       clone.patch
 Patch102:       xen-pv-cdrom.patch
+Patch103:       CVE-2013-4400-build-fix.patch
 # Our patches
 Patch200:       libvirtd-defaults.patch
 Patch201:       libvirtd-init-script.patch
@ -928,9 +934,15 @@ of recent versions of Linux (and other OSes).
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 %patch100 -p1
 %patch101
 %patch102 -p1
+%patch103 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1