forked from pool/libvirt
2d3b4f44f0
Fixes for CVE's made public today. - api: disallow virConnect*HypervisorCPU, virConnectGetDomainCapabilities, virDomainManagedSaveDefineXML, and virDomainSaveImageGetXMLDesc on read-only connections CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc.patch, CVE-2019-10166-api-disallow-virDomainManagedSaveDefineXML.patch, CVE-2019-10167-api-disallow-virConnectGetDomainCapabilities.patch, CVE-2019-10168-api-disallow-virConnect-HypervisorCPU.patch CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168 bsc#1138301, bsc#1138302, bsc#1138303, bsc#1138305 OBS-URL: https://build.opensuse.org/request/show/711148 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=765
74 lines
2.8 KiB
Diff
74 lines
2.8 KiB
Diff
commit aed6a032cead4386472afb24b16196579e239580
|
|
Author: Ján Tomko <jtomko@redhat.com>
|
|
Date: Fri Jun 14 08:47:42 2019 +0200
|
|
|
|
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
|
|
|
|
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
|
|
which can point to any path on the system. This file will then be
|
|
read and parsed by libvirtd running with root privileges.
|
|
|
|
Forbid it on read-only connections.
|
|
|
|
Fixes: CVE-2019-10161
|
|
Reported-by: Matthias Gerstner <mgerstner@suse.de>
|
|
Signed-off-by: Ján Tomko <jtomko@redhat.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
|
Index: libvirt-5.4.0/src/libvirt-domain.c
|
|
===================================================================
|
|
--- libvirt-5.4.0.orig/src/libvirt-domain.c
|
|
+++ libvirt-5.4.0/src/libvirt-domain.c
|
|
@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
|
|
* previously by virDomainSave() or virDomainSaveFlags().
|
|
*
|
|
* No security-sensitive data will be included unless @flags contains
|
|
- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only
|
|
- * connections.
|
|
+ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE.
|
|
*
|
|
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
|
|
* error. The caller must free() the returned value.
|
|
@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
|
|
|
|
virCheckConnectReturn(conn, NULL);
|
|
virCheckNonNullArgGoto(file, error);
|
|
-
|
|
- if ((conn->flags & VIR_CONNECT_RO) &&
|
|
- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) {
|
|
- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
|
- _("virDomainSaveImageGetXMLDesc with secure flag"));
|
|
- goto error;
|
|
- }
|
|
+ virCheckReadOnlyGoto(conn->flags, error);
|
|
|
|
if (conn->driver->domainSaveImageGetXMLDesc) {
|
|
char *ret;
|
|
Index: libvirt-5.4.0/src/qemu/qemu_driver.c
|
|
===================================================================
|
|
--- libvirt-5.4.0.orig/src/qemu/qemu_driver.c
|
|
+++ libvirt-5.4.0/src/qemu/qemu_driver.c
|
|
@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
|
|
if (fd < 0)
|
|
goto cleanup;
|
|
|
|
- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
|
|
+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
|
|
goto cleanup;
|
|
|
|
ret = qemuDomainDefFormatXML(driver, def, flags);
|
|
Index: libvirt-5.4.0/src/remote/remote_protocol.x
|
|
===================================================================
|
|
--- libvirt-5.4.0.orig/src/remote/remote_protocol.x
|
|
+++ libvirt-5.4.0/src/remote/remote_protocol.x
|
|
@@ -5242,8 +5242,7 @@ enum remote_procedure {
|
|
/**
|
|
* @generate: both
|
|
* @priority: high
|
|
- * @acl: domain:read
|
|
- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
|
|
+ * @acl: domain:write
|
|
*/
|
|
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
|
|
|