libvirt/e4cb8500-avoid-malicious-ssh-hostname-as-args.patch

commit e4cb8500810a310a10a6cb359e1b53fac03ed597
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Fri Aug 11 17:19:53 2017 +0100

    rpc: avoid ssh interpreting malicious hostname as arguments
    
    Inspired by the recent GIT / Mercurial security flaws
    (http://blog.recurity-labs.com/2017-08-10/scm-vulns),
    consider someone/something manages to feed libvirt a bogus
    URI such as:
    
      virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
    
    In this case, the hosname "-oProxyCommand=gnome-calculator"
    will get interpreted as an argument to ssh, not a hostname.
    Fortunately, due to the set of args we have following the
    hostname, SSH will then interpret our bit of shell script
    that runs 'nc' on the remote host as a cipher name, which is
    clearly invalid. This makes ssh exit during argv parsing and
    so it never tries to run gnome-calculator.
    
    We are lucky this time, but lets be more paranoid, by using
    '--' to explicitly tell SSH when it has finished seeing
    command line options. This forces it to interpret
    "-oProxyCommand=gnome-calculator" as a hostname, and thus
    see a fail from hostname lookup.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Index: libvirt-3.6.0/src/rpc/virnetsocket.c
===================================================================
--- libvirt-3.6.0.orig/src/rpc/virnetsocket.c
+++ libvirt-3.6.0/src/rpc/virnetsocket.c
@@ -868,7 +868,7 @@ int virNetSocketNewConnectSSH(const char
     if (!netcat)
         netcat = "nc";
 
-    virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
+    virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
 
     virBufferEscapeShell(&buf, netcat);
     if (virBufferCheckError(&buf) < 0) {