[Pkg-libvirt-commits] [SCM] Libvirt Debian packaging branch, squeeze, updated. debian/0.8.3-5+squeeze1

Guido Günther agx at sigxcpu.org
Fri Mar 18 09:07:05 UTC 2011 

The following commit has been merged in the squeeze branch:
commit 0ee351f809369e3cf4ad52a8f3f74f39f6845dcd
Author: Guido Günther <agx at sigxcpu.org>
Date:   Mon Mar 14 11:50:01 2011 +0100

    [CVE-2011-1146] Add missing checks for read only connections
    
    Some API forgot to check the read-only status of the connection for
    entry point which modify the state of the system or may lead to a remote
    execution using user data.
    The entry points concerned are:
      - virConnectDomainXMLToNative
      - virNodeDeviceDettach
      - virNodeDeviceReAttach
      - virNodeDeviceReset
      - virDomainRevertToSnapshot
      - virDomainSnapshotDelete
    
    src/libvirt.c: fix the above set of entry points to error on read-only
    Closes: #617773

diff --git a/debian/patches/security/0013-Add-missing-checks-for-read-only-connections.patch b/debian/patches/security/0013-Add-missing-checks-for-read-only-connections.patch
new file mode 100644
index 0000000..b7a84ad
--- /dev/null
+++ b/debian/patches/security/0013-Add-missing-checks-for-read-only-connections.patch
@@ -0,0 +1,96 @@
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Mon, 14 Mar 2011 08:55:02 +0100
+Subject: Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+  - virConnectDomainXMLToNative
+  - virNodeDeviceDettach
+  - virNodeDeviceReAttach
+  - virNodeDeviceReset
+  - virDomainRevertToSnapshot
+  - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+                 connections
+
+---
+ src/libvirt.c |   27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index 3ec5724..5e5a758 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -3177,6 +3177,10 @@ char *virConnectDomainXMLToNative(virConnectPtr conn,
+         virDispatchError(NULL);
+         return (NULL);
+     }
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (nativeFormat == NULL || domainXml == NULL) {
+         virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9418,6 +9422,11 @@ virNodeDeviceDettach(virNodeDevicePtr dev)
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceDettach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9461,6 +9470,11 @@ virNodeDeviceReAttach(virNodeDevicePtr dev)
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReAttach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9506,6 +9520,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReset) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12761,6 +12780,10 @@ virDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainRevertToSnapshot) {
+         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -12807,6 +12830,10 @@ virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainSnapshotDelete) {
+         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
+-- 
diff --git a/debian/patches/series b/debian/patches/series
index 2d056e6..ee5072c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
 0010-nwfilter-resolve-deadlock-between-VM-operations-and-.patch
 0011-OpenVZ-take-veid-from-vmdef-name-when-defining-new-d.patch
 0012-OpenVZ-Fix-some-overwritten-error-codes.patch
+security/0013-Add-missing-checks-for-read-only-connections.patch

-- 
Libvirt Debian packaging

More information about the Pkg-libvirt-commits mailing list