[Pkg-libvirt-commits] [SCM] Libvirt debian packaging branch, experimental, updated. debian/0.5.1-5-7-gd6e79a0
Guido Günther
agx at sigxcpu.org
Thu Feb 5 20:00:29 UTC 2009
The following commit has been merged in the experimental branch:
commit 179781c28bfe557c716321be74d1568d60c26a63
Author: Guido Günther <agx at sigxcpu.org>
Date: Thu Feb 5 15:21:05 2009 +0100
drop patches
fixed upstream:
0006-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
applied upstream:
0004-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
0005-qemu-fix-parallel-serial-mode-tcp-and-unix.patch
0007-don-t-fail-on-missing-locales.patch
0008-Don-t-hardcode-ssh-port.patch
diff --git a/debian/patches/0008-Don-t-hardcode-ssh-port.patch b/debian/patches/0004-Don-t-hardcode-ssh-port.patch
similarity index 89%
rename from debian/patches/0008-Don-t-hardcode-ssh-port.patch
rename to debian/patches/0004-Don-t-hardcode-ssh-port.patch
index 274f935..46783c9 100644
--- a/debian/patches/0008-Don-t-hardcode-ssh-port.patch
+++ b/debian/patches/0004-Don-t-hardcode-ssh-port.patch
@@ -10,10 +10,10 @@ Closes: #513605
1 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/remote_internal.c b/src/remote_internal.c
-index 7bf8766..d2f4397 100644
+index f8740af..dbd9673 100644
--- a/src/remote_internal.c
+++ b/src/remote_internal.c
-@@ -353,9 +353,6 @@ doRemoteOpen (virConnectPtr conn,
+@@ -387,9 +387,6 @@ doRemoteOpen (virConnectPtr conn,
} else if (transport == trans_tcp) {
port = strdup (LIBVIRTD_TCP_PORT);
if (!port) goto out_of_memory;
@@ -23,7 +23,7 @@ index 7bf8766..d2f4397 100644
} else
port = NULL; /* Port not used for unix, ext. */
-@@ -644,24 +641,27 @@ doRemoteOpen (virConnectPtr conn,
+@@ -673,24 +670,27 @@ doRemoteOpen (virConnectPtr conn,
}
case trans_ssh: {
@@ -34,7 +34,7 @@ index 7bf8766..d2f4397 100644
if (no_tty) nr_args += 5; /* For -T -o BatchMode=yes -e none */
+ if (port) nr_args += 2; /* For -p port */
- command = command ? : strdup ("ssh");
+ command = command ? command : strdup ("ssh");
if (command == NULL)
goto out_of_memory;
diff --git a/debian/patches/0004-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch b/debian/patches/0004-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
deleted file mode 100644
index fe76cdd..0000000
--- a/debian/patches/0004-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Harald Staub <harald.staub at switch.ch>
-Date: Tue, 2 Dec 2008 13:14:33 +0100
-Subject: [PATCH] Open qemu monitor log O_APPEND instead of O_TRUNC
-
-makes logrotate work (O_APPEND) and keeps old log information (!O_TRUNC)
-(#507553)
----
- src/qemu_driver.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index e666efc..a5fade4 100644
---- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -840,7 +840,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
- return -1;
- }
-
-- if ((vm->logfile = open(logfile, O_CREAT | O_TRUNC | O_WRONLY,
-+ if ((vm->logfile = open(logfile, O_CREAT | O_APPEND | O_WRONLY,
- S_IRUSR | S_IWUSR)) < 0) {
- qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- _("failed to create logfile %s: %s"),
---
diff --git a/debian/patches/0005-qemu-fix-parallel-serial-mode-tcp-and-unix.patch b/debian/patches/0005-qemu-fix-parallel-serial-mode-tcp-and-unix.patch
deleted file mode 100644
index bde6bd1..0000000
--- a/debian/patches/0005-qemu-fix-parallel-serial-mode-tcp-and-unix.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: =?utf-8?q?Guido=20G=C3=BCnther?= <agx at sigxcpu.org>
-Date: Thu, 11 Dec 2008 12:02:50 +0100
-Subject: [PATCH] qemu: fix parallel/serial mode "tcp" and "unix"
-
-According to
- http://bellard.org/qemu/qemu-doc.html
-the required option is 'server' not 'listen'. Use nowait so kvm/qemu doesn't
-timeout during monitor startup as it waits for an incoming connection.
-
-Closes: #507608
----
- src/qemu_conf.c | 6 +++---
- .../qemuxml2argv-parallel-tcp.args | 2 +-
- .../qemuxml2argv-serial-tcp-telnet.args | 2 +-
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/qemu_conf.c b/src/qemu_conf.c
-index e6c378f..e890480 100644
---- a/src/qemu_conf.c
-+++ b/src/qemu_conf.c
-@@ -676,13 +676,13 @@ static int qemudBuildCommandLineChrDevStr(virDomainChrDefPtr dev,
- if (snprintf(buf, buflen, "telnet:%s:%s%s",
- dev->data.tcp.host,
- dev->data.tcp.service,
-- dev->data.tcp.listen ? ",server" : "") >= buflen)
-+ dev->data.tcp.listen ? ",server,nowait" : "") >= buflen)
- return -1;
- } else {
- if (snprintf(buf, buflen, "tcp:%s:%s%s",
- dev->data.tcp.host,
- dev->data.tcp.service,
-- dev->data.tcp.listen ? ",listen" : "") >= buflen)
-+ dev->data.tcp.listen ? ",server,nowait" : "") >= buflen)
- return -1;
- }
- break;
-@@ -690,7 +690,7 @@ static int qemudBuildCommandLineChrDevStr(virDomainChrDefPtr dev,
- case VIR_DOMAIN_CHR_TYPE_UNIX:
- if (snprintf(buf, buflen, "unix:%s%s",
- dev->data.nix.path,
-- dev->data.nix.listen ? ",listen" : "") >= buflen)
-+ dev->data.nix.listen ? ",server,nowait" : "") >= buflen)
- return -1;
- break;
- }
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-parallel-tcp.args b/tests/qemuxml2argvdata/qemuxml2argv-parallel-tcp.args
-index 1a08bbb..e9bbc71 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-parallel-tcp.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-parallel-tcp.args
-@@ -1 +1 @@
--LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor pty -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial none -parallel tcp:127.0.0.1:9999,listen -usb
-+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor pty -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial none -parallel tcp:127.0.0.1:9999,server,nowait -usb
-diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-telnet.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-telnet.args
-index f2d1f17..ad37de4 100644
---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-telnet.args
-+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-telnet.args
-@@ -1 +1 @@
--LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor pty -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial telnet:127.0.0.1:9999,server -parallel none -usb
-+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor pty -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial telnet:127.0.0.1:9999,server,nowait -parallel none -usb
---
diff --git a/debian/patches/0006-Fix-missing-read-only-access-checks-CVE-2008-5086.patch b/debian/patches/0006-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
deleted file mode 100644
index ef03077..0000000
--- a/debian/patches/0006-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From: Daniel P. Berrange <berrange at redhat.com>
-Date: Wed, 17 Dec 2008 16:55:58 +0000
-Subject: [PATCH] Fix missing read-only access checks (CVE-2008-5086)
-
-The following methods in libvirt.c are missing a check against the
-read-only connection flag:
-
- virDomainMigrate
- virDomainMigratePrepare
- virDomainMigratePerform
- virDomainMigrateFinish
- virDomainMigratePrepare2
- virDomainMigrateFinish2
- virDomainBlockPeek
- virDomainMemoryPeek
- virDomainSetAutostart
- virNetworkSetAutostart
- virConnectFindStoragePoolSources
- virStoragePoolSetAutostart
-
-If using PolicyKit auth, the default policy will allow any local user
-to make a read-only connection to the libvirtd daemon without needing
-authentication.
-
-If not using PolicyKit, the default libvirtd.conf configuration settings
-will allow an unprivileged user to make a read-only connection to the
-libvirtd daemon without needing authentication.
-
-Thus out of the box unprivileged local users may be able to migrate VMs,
-set or unset the autostart flag for domains, networks & storage pools,
-and access privileged data in the VM memory, or disks.
-
-All TCP remote connections are read-write, and default settings require
-full authentication, thus remote access is not impacted by this flaw.
-
-Administrators can apply a workaround by editting /etc/libvirt/libvirtd.conf
-to explicitly set 'unix_sock_ro_perms' parameter to '0700'. Restart the
-libvirtd daemon after making this change.
-
-The first vulnerable release was 0.3.2, where the virDomainMigrate API
-was added for the Xen driver. Other APIs were added in various subsequent
-releases depending on the hypervisor driver in question.
-
-The attached patch has been committed to CVS, and OS distributors are
-recommended to apply this patch to all existing releases shipped. It
-was diff'd against current CVS head, and applies against 0.5.1, and
-is trivially re-diffable for all earlier releases.
-
-This flaw has been assigned the identifier CVE-2008-5086
-
-Daniel
----
- src/libvirt.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 files changed, 65 insertions(+), 0 deletions(-)
-
-diff --git a/src/libvirt.c b/src/libvirt.c
-index a279024..1b0e31a 100644
---- a/src/libvirt.c
-+++ b/src/libvirt.c
-@@ -2299,6 +2299,16 @@ virDomainMigrate (virDomainPtr domain,
- return NULL;
- }
-
-+ if (domain->conn->flags & VIR_CONNECT_RO) {
-+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return NULL;
-+ }
-+ if (dconn->flags & VIR_CONNECT_RO) {
-+ /* NB, delibrately report error against source object, not dest here */
-+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return NULL;
-+ }
-+
- /* Check that migration is supported by both drivers. */
- if (VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn,
- VIR_DRV_FEATURE_MIGRATION_V1) &&
-@@ -2426,6 +2436,11 @@ virDomainMigratePrepare (virConnectPtr dconn,
- return -1;
- }
-
-+ if (dconn->flags & VIR_CONNECT_RO) {
-+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return -1;
-+ }
-+
- if (dconn->driver->domainMigratePrepare)
- return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen,
- uri_in, uri_out,
-@@ -2457,6 +2472,11 @@ virDomainMigratePerform (virDomainPtr domain,
- }
- conn = domain->conn;
-
-+ if (domain->conn->flags & VIR_CONNECT_RO) {
-+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return -1;
-+ }
-+
- if (conn->driver->domainMigratePerform)
- return conn->driver->domainMigratePerform (domain, cookie, cookielen,
- uri,
-@@ -2485,6 +2505,11 @@ virDomainMigrateFinish (virConnectPtr dconn,
- return NULL;
- }
-
-+ if (dconn->flags & VIR_CONNECT_RO) {
-+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return NULL;
-+ }
-+
- if (dconn->driver->domainMigrateFinish)
- return dconn->driver->domainMigrateFinish (dconn, dname,
- cookie, cookielen,
-@@ -2517,6 +2542,11 @@ virDomainMigratePrepare2 (virConnectPtr dconn,
- return -1;
- }
-
-+ if (dconn->flags & VIR_CONNECT_RO) {
-+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return -1;
-+ }
-+
- if (dconn->driver->domainMigratePrepare2)
- return dconn->driver->domainMigratePrepare2 (dconn, cookie, cookielen,
- uri_in, uri_out,
-@@ -2547,6 +2577,11 @@ virDomainMigrateFinish2 (virConnectPtr dconn,
- return NULL;
- }
-
-+ if (dconn->flags & VIR_CONNECT_RO) {
-+ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return NULL;
-+ }
-+
- if (dconn->driver->domainMigrateFinish2)
- return dconn->driver->domainMigrateFinish2 (dconn, dname,
- cookie, cookielen,
-@@ -2905,6 +2940,11 @@ virDomainBlockPeek (virDomainPtr dom,
- }
- conn = dom->conn;
-
-+ if (dom->conn->flags & VIR_CONNECT_RO) {
-+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return (-1);
-+ }
-+
- if (!path) {
- virLibDomainError (dom, VIR_ERR_INVALID_ARG,
- _("path is NULL"));
-@@ -2980,6 +3020,11 @@ virDomainMemoryPeek (virDomainPtr dom,
- }
- conn = dom->conn;
-
-+ if (dom->conn->flags & VIR_CONNECT_RO) {
-+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return (-1);
-+ }
-+
- /* Flags must be VIR_MEMORY_VIRTUAL at the moment.
- *
- * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is
-@@ -3247,6 +3292,11 @@ virDomainSetAutostart(virDomainPtr domain,
-
- conn = domain->conn;
-
-+ if (domain->conn->flags & VIR_CONNECT_RO) {
-+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return (-1);
-+ }
-+
- if (conn->driver->domainSetAutostart)
- return conn->driver->domainSetAutostart (domain, autostart);
-
-@@ -4197,6 +4247,11 @@ virNetworkSetAutostart(virNetworkPtr network,
- return (-1);
- }
-
-+ if (network->conn->flags & VIR_CONNECT_RO) {
-+ virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return (-1);
-+ }
-+
- conn = network->conn;
-
- if (conn->networkDriver && conn->networkDriver->networkSetAutostart)
-@@ -4395,6 +4450,11 @@ virConnectFindStoragePoolSources(virConnectPtr conn,
- return NULL;
- }
-
-+ if (conn->flags & VIR_CONNECT_RO) {
-+ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return NULL;
-+ }
-+
- if (conn->storageDriver && conn->storageDriver->findPoolSources)
- return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags);
-
-@@ -5068,6 +5128,11 @@ virStoragePoolSetAutostart(virStoragePoolPtr pool,
- return (-1);
- }
-
-+ if (pool->conn->flags & VIR_CONNECT_RO) {
-+ virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+ return (-1);
-+ }
-+
- conn = pool->conn;
-
- if (conn->storageDriver && conn->storageDriver->poolSetAutostart)
---
diff --git a/debian/patches/0007-don-t-fail-on-missing-locales.patch b/debian/patches/0007-don-t-fail-on-missing-locales.patch
deleted file mode 100644
index e397e06..0000000
--- a/debian/patches/0007-don-t-fail-on-missing-locales.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: =?utf-8?q?Guido=20G=C3=BCnther?= <agx at sigxcpu.org>
-Date: Fri, 23 Jan 2009 16:25:33 +0100
-Subject: [PATCH] don't fail on missing locales
-
-Closes: #512721
----
- src/virsh.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/src/virsh.c b/src/virsh.c
-index 2b05793..5e39b48 100644
---- a/src/virsh.c
-+++ b/src/virsh.c
-@@ -7078,7 +7078,7 @@ main(int argc, char **argv)
-
- if (!setlocale(LC_ALL, "")) {
- perror("setlocale");
-- return -1;
-+ /* failure to setup locale is not fatal */
- }
- if (!bindtextdomain(GETTEXT_PACKAGE, LOCALEBASEDIR)) {
- perror("bindtextdomain");
---
diff --git a/debian/patches/series b/debian/patches/series
index ff360a9..4acfbb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,8 +1,4 @@
0001-remove-RHism.diff.patch
0002-qemu-disable-network.diff.patch
0003-allow-libvirt-group-to-access-the-socket.patch
-0004-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
-0005-qemu-fix-parallel-serial-mode-tcp-and-unix.patch
-0006-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
-0007-don-t-fail-on-missing-locales.patch
-0008-Don-t-hardcode-ssh-port.patch
+0004-Don-t-hardcode-ssh-port.patch
--
Libvirt debian packaging
More information about the Pkg-libvirt-commits
mailing list