From d964be009737d45354623bf9f991449ca5a1e375 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Wed, 3 Jul 2019 11:25:28 -0400 Subject: [PATCH] libvirt-5.5.0-1.fc31 Rebased to version 5.5.0 --- ...DomainSaveImageGetXMLDesc-on-read-on.patch | 81 ------------------- ...DomainManagedSaveDefineXML-on-read-o.patch | 33 -------- ...ConnectGetDomainCapabilities-on-read.patch | 31 ------- ...Connect-HypervisorCPU-on-read-only-c.patch | 39 --------- libvirt.spec | 31 ++----- sources | 2 +- 6 files changed, 8 insertions(+), 209 deletions(-) delete mode 100644 0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch delete mode 100644 0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch delete mode 100644 0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch delete mode 100644 0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch diff --git a/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch b/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch deleted file mode 100644 index 8b99fcc..0000000 --- a/0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: =?UTF-8?q?J=C3=A1n=20Tomko?= -Date: Fri, 14 Jun 2019 08:47:42 +0200 -Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virDomainSaveImageGetXMLDesc API is taking a path parameter, -which can point to any path on the system. This file will then be -read and parsed by libvirtd running with root privileges. - -Forbid it on read-only connections. - -Fixes: CVE-2019-10161 -Reported-by: Matthias Gerstner -Signed-off-by: Ján Tomko -Reviewed-by: Daniel P. Berrangé -(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) ---- - src/libvirt-domain.c | 11 ++--------- - src/qemu/qemu_driver.c | 2 +- - src/remote/remote_protocol.x | 3 +-- - 3 files changed, 4 insertions(+), 12 deletions(-) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index df7e405b3e..1cc8537c04 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, - * previously by virDomainSave() or virDomainSaveFlags(). - * - * No security-sensitive data will be included unless @flags contains -- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only -- * connections. -+ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE. - * - * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of - * error. The caller must free() the returned value. -@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, - - virCheckConnectReturn(conn, NULL); - virCheckNonNullArgGoto(file, error); -- -- if ((conn->flags & VIR_CONNECT_RO) && -- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) { -- virReportError(VIR_ERR_OPERATION_DENIED, "%s", -- _("virDomainSaveImageGetXMLDesc with secure flag")); -- goto error; -- } -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->domainSaveImageGetXMLDesc) { - char *ret; -diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c -index 42b1ce2521..ea9a3d33a3 100644 ---- a/src/qemu/qemu_driver.c -+++ b/src/qemu/qemu_driver.c -@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, - if (fd < 0) - goto cleanup; - -- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) -+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) - goto cleanup; - - ret = qemuDomainDefFormatXML(driver, def, flags); -diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x -index 11f44ee267..737d67c47b 100644 ---- a/src/remote/remote_protocol.x -+++ b/src/remote/remote_protocol.x -@@ -5242,8 +5242,7 @@ enum remote_procedure { - /** - * @generate: both - * @priority: high -- * @acl: domain:read -- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE -+ * @acl: domain:write - */ - REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, - diff --git a/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch b/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch deleted file mode 100644 index b952bdd..0000000 --- a/0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: =?UTF-8?q?J=C3=A1n=20Tomko?= -Date: Fri, 14 Jun 2019 09:14:53 +0200 -Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The virDomainManagedSaveDefineXML can be used to alter the domain's -config used for managedsave or even execute arbitrary emulator binaries. -Forbid it on read-only connections. - -Fixes: CVE-2019-10166 -Reported-by: Matthias Gerstner -Signed-off-by: Ján Tomko -Reviewed-by: Daniel P. Berrangé -(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) ---- - src/libvirt-domain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index 1cc8537c04..f77fc23a3f 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, - - virCheckDomainReturn(domain, -1); - conn = domain->conn; -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->domainManagedSaveDefineXML) { - int ret; diff --git a/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch b/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch deleted file mode 100644 index be27e22..0000000 --- a/0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: =?UTF-8?q?J=C3=A1n=20Tomko?= -Date: Fri, 14 Jun 2019 09:16:14 +0200 -Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This API can be used to execute arbitrary emulators. -Forbid it on read-only connections. - -Fixes: CVE-2019-10167 -Signed-off-by: Ján Tomko -Reviewed-by: Daniel P. Berrangé -(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) ---- - src/libvirt-domain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c -index f77fc23a3f..c500d6be36 100644 ---- a/src/libvirt-domain.c -+++ b/src/libvirt-domain.c -@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, - virResetLastError(); - - virCheckConnectReturn(conn, NULL); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectGetDomainCapabilities) { - char *ret; diff --git a/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch b/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch deleted file mode 100644 index fb4da99..0000000 --- a/0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: =?UTF-8?q?J=C3=A1n=20Tomko?= -Date: Fri, 14 Jun 2019 09:17:39 +0200 -Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -These APIs can be used to execute arbitrary emulators. -Forbid them on read-only connections. - -Fixes: CVE-2019-10168 -Signed-off-by: Ján Tomko -Reviewed-by: Daniel P. Berrangé -(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) ---- - src/libvirt-host.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libvirt-host.c b/src/libvirt-host.c -index e20d6ee250..2978825d22 100644 ---- a/src/libvirt-host.c -+++ b/src/libvirt-host.c -@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, - - virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); - virCheckNonNullArgGoto(xmlCPU, error); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectCompareHypervisorCPU) { - int ret; -@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, - - virCheckConnectReturn(conn, NULL); - virCheckNonNullArgGoto(xmlCPUs, error); -+ virCheckReadOnlyGoto(conn->flags, error); - - if (conn->driver->connectBaselineHypervisorCPU) { - char *cpu; diff --git a/libvirt.spec b/libvirt.spec index b934aba..70ace80 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -4,7 +4,7 @@ # that's still supported by the vendor. It may work on other distros # or versions, but no effort will be made to ensure that going forward. %define min_rhel 7 -%define min_fedora 28 +%define min_fedora 29 %if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel}) %define supported_platform 1 @@ -215,8 +215,8 @@ Summary: Library providing a simple virtualization API Name: libvirt -Version: 5.4.0 -Release: 2%{?dist} +Version: 5.5.0 +Release: 1%{?dist} License: LGPLv2+ URL: https://libvirt.org/ @@ -225,20 +225,6 @@ URL: https://libvirt.org/ %endif Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz -# CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc -# API (bz #1722463, bz #1720115) -Patch0001: 0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch -# CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly -# clients (bz #1722462, bz #1720114) -Patch0002: 0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch -# CVE-2019-10167: arbitrary command execution via -# virConnectGetDomainCapabilities API (bz #1722464, bz #1720117) -Patch0003: 0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch -# CVE-2019-10168: arbitrary command execution via -# virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz -# #1722466, bz #1720118) -Patch0004: 0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch - Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} @@ -311,7 +297,6 @@ BuildRequires: sanlock-devel >= 2.4 %endif BuildRequires: libpcap-devel BuildRequires: libnl3-devel -BuildRequires: avahi-devel BuildRequires: libselinux-devel BuildRequires: dnsmasq >= 2.41 BuildRequires: iptables @@ -450,7 +435,6 @@ Requires: iproute Requires: iproute-tc %endif -Requires: avahi-libs Requires: polkit >= 0.112 %ifarch %{ix86} x86_64 ia64 # For virConnectGetSysinfo @@ -1177,7 +1161,6 @@ rm -f po/stamp-po %{?arg_vbox} \ %{?arg_libxl} \ --with-sasl \ - --with-avahi \ --with-polkit \ --with-libvirtd \ %{?arg_phyp} \ @@ -1582,8 +1565,6 @@ exit 0 %{_mandir}/man8/virtlockd.8* %{_mandir}/man7/virkey*.7* -%doc examples/polkit/*.rules - %files daemon-config-network %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml @@ -1804,6 +1785,7 @@ exit 0 %{_datadir}/libvirt/schemas/interface.rng %{_datadir}/libvirt/schemas/network.rng %{_datadir}/libvirt/schemas/networkcommon.rng +%{_datadir}/libvirt/schemas/networkport.rng %{_datadir}/libvirt/schemas/nodedev.rng %{_datadir}/libvirt/schemas/nwfilter.rng %{_datadir}/libvirt/schemas/nwfilter_params.rng @@ -1879,11 +1861,12 @@ exit 0 %{_datadir}/libvirt/api/libvirt-admin-api.xml %{_datadir}/libvirt/api/libvirt-qemu-api.xml %{_datadir}/libvirt/api/libvirt-lxc-api.xml -# Needed building python bindings -%doc docs/libvirt-api.xml %changelog +* Wed Jul 03 2019 Cole Robinson - 5.5.0-1 +- Rebased to version 5.5.0 + * Thu Jun 20 2019 Cole Robinson - 5.4.0-2 - CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115) diff --git a/sources b/sources index c4025da..82e0dd6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libvirt-5.4.0.tar.xz) = 03fa932d041d147cab79eab200bb33f8db72579be72ec7cbff3305f4a8d574835a80f1b99936eddf67f83d21cc5567f45c86e555209de6cd702f43f91197cfd0 +SHA512 (libvirt-5.5.0.tar.xz) = 47923aaca605fb43a53238ac535abc1f88f73435336b8f3e88cb01df277ed205d99c586991e523aa32b50c832a0a7c949ab5f84dc78eb8d18a4951cfc791448d