tamiko 14/11/06 22:36:08
Added: libvirt-1.2.10-cve-2014-7823.patch
libvirt-1.2.9-cve-2014-7823.patch
Log:
version bump wrt bug #528300, backport fix for CVE-2014-7823 wrt bug #528440,
drop vulnerable
(Portage version: 2.2.8-r2/cvs/Linux x86_64, signed Manifest commit with key
BD3A97A3)
Revision Changes Path
1.1
app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.10-cve-2014-7823.patch?rev=1.1&content-type=text/plain
Index: libvirt-1.2.10-cve-2014-7823.patch
===================================================================
Patch from:
https://www.redhat.com/archives/libvir-list/2014-November/msg00114.html
From: Eric Blake <eblake redhat com>
To: libvir-list redhat com
Subject: [libvirt] [PATCH] CVE-2014-7823: dumpxml: security hole with
migratable flag
Date: Wed, 5 Nov 2014 17:30:46 +0100
---
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
the qemu implementation of virDomainGetXMLDesc, the use of the
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
prior to calling qemuDomainFormatXML. However, the use of
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
clients only. This patch treats the migratable flag as requiring
the same permissions, rather than analyzing what might break if
migratable xml no longer includes secret information.
Fortunately, the information leak is low-risk: all that is gated
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
but VNC passwords are already weak (FIPS forbids their use, and
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
password sent in plaintext over the network deserves what they
get). SPICE offers better security than VNC, and all other
secrets are properly protected by use of virSecret associations
rather than direct output in domain XML.
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
Tighten rules on use of migratable flag.
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
Signed-off-by: Eric Blake <eblake redhat com>
---
The libvirt-security list agreed that this did not need an embargo
because it is low-risk; but I'm on the road this week, so while
this patch for master can go in now, I won't complete the backport
to all the affected stable branches (everything since v1.0.0) or
do the Libvirt Security Notice writeup until Monday.
src/libvirt-domain.c | 3 ++-
src/remote/remote_protocol.x | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index 7dc3146..2b0defc 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int
flags)
virCheckDomainReturn(domain, NULL);
conn = domain->conn;
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+ if ((conn->flags & VIR_CONNECT_RO) &&
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
_("virDomainGetXMLDesc with secure flag"));
goto error;
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index db12cda..ebf4530 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3255,6 +3255,7 @@ enum remote_procedure {
* @generate: both
* @acl: domain:read
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
*/
REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
--
1.9.3
1.1
app-emulation/libvirt/files/libvirt-1.2.9-cve-2014-7823.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.9-cve-2014-7823.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/libvirt/files/libvirt-1.2.9-cve-2014-7823.patch?rev=1.1&content-type=text/plain
Index: libvirt-1.2.9-cve-2014-7823.patch
===================================================================
Patch from:
https://www.redhat.com/archives/libvir-list/2014-November/msg00114.html
Backported to version 1.2.9: (Matthias Maier <[email protected]>)
In libvirt versions prior to 1.2.10 the function
char*
virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
is defined in libvirt.c
From: Eric Blake <eblake redhat com>
To: libvir-list redhat com
Subject: [libvirt] [PATCH] CVE-2014-7823: dumpxml: security hole with
migratable flag
Date: Wed, 5 Nov 2014 17:30:46 +0100
---
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
the qemu implementation of virDomainGetXMLDesc, the use of the
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
prior to calling qemuDomainFormatXML. However, the use of
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
clients only. This patch treats the migratable flag as requiring
the same permissions, rather than analyzing what might break if
migratable xml no longer includes secret information.
Fortunately, the information leak is low-risk: all that is gated
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
but VNC passwords are already weak (FIPS forbids their use, and
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
password sent in plaintext over the network deserves what they
get). SPICE offers better security than VNC, and all other
secrets are properly protected by use of virSecret associations
rather than direct output in domain XML.
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
Tighten rules on use of migratable flag.
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
Signed-off-by: Eric Blake <eblake redhat com>
---
The libvirt-security list agreed that this did not need an embargo
because it is low-risk; but I'm on the road this week, so while
this patch for master can go in now, I won't complete the backport
to all the affected stable branches (everything since v1.0.0) or
do the Libvirt Security Notice writeup until Monday.
src/libvirt-domain.c | 3 ++-
src/remote/remote_protocol.x | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/libvirt.c b/src/libvirt.c
index 7dc3146..2b0defc 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4369,7 +4369,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int
flags)
virCheckDomainReturn(domain, NULL);
conn = domain->conn;
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+ if ((conn->flags & VIR_CONNECT_RO) &&
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
_("virDomainGetXMLDesc with secure flag"));
goto error;
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index db12cda..ebf4530 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3255,6 +3255,7 @@ enum remote_procedure {
* @generate: both
* @acl: domain:read
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
*/
REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
--
1.9.3
