[Pkg-libvirt-commits] [libvirt] 06/07: CVE-2014-7823: dumpxml: security hole with migratable flag
Guido Guenther
agx at moszumanska.debian.org
Wed Dec 10 06:35:26 UTC 2014
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to branch experimental
in repository libvirt.
commit 214d446446052e2d80049dd3203479a05e2f3b5a
Author: Guido Günther <agx at sigxcpu.org>
Date: Wed Nov 12 07:42:01 2014 +0100
CVE-2014-7823: dumpxml: security hole with migratable flag
Closes: #769149
---
...23-dumpxml-security-hole-with-migratable-.patch | 59 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 60 insertions(+)
diff --git a/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
new file mode 100644
index 0000000..8f9990b
--- /dev/null
+++ b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
@@ -0,0 +1,59 @@
+From: Eric Blake <eblake at redhat.com>
+Date: Fri, 31 Oct 2014 22:14:07 -0600
+Subject: CVE-2014-7823: dumpxml: security hole with migratable flag
+
+Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+the qemu implementation of virDomainGetXMLDesc, the use of the
+flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+prior to calling qemuDomainFormatXML. However, the use of
+VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+clients only. This patch treats the migratable flag as requiring
+the same permissions, rather than analyzing what might break if
+migratable xml no longer includes secret information.
+
+Fortunately, the information leak is low-risk: all that is gated
+by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+but VNC passwords are already weak (FIPS forbids their use, and
+on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+password sent in plaintext over the network deserves what they
+get). SPICE offers better security than VNC, and all other
+secrets are properly protected by use of virSecret associations
+rather than direct output in domain XML.
+
+* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+Tighten rules on use of migratable flag.
+* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+
+Signed-off-by: Eric Blake <eblake at redhat.com>
+---
+ src/libvirt-domain.c | 3 ++-
+ src/remote/remote_protocol.x | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 7dc3146..2b0defc 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+ virCheckDomainReturn(domain, NULL);
+ conn = domain->conn;
+
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
++ if ((conn->flags & VIR_CONNECT_RO) &&
++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+ virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+ _("virDomainGetXMLDesc with secure flag"));
+ goto error;
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index db12cda..ebf4530 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -3255,6 +3255,7 @@ enum remote_procedure {
+ * @generate: both
+ * @acl: domain:read
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+ */
+ REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+
diff --git a/debian/patches/series b/debian/patches/series
index 86e77c7..f0aa494 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ debian/Debianize-systemd-service-files.patch
Allow-xen-toolstack-to-find-it-s-binaries.patch
Skip-vircgrouptest.patch
debian/Debianize-virtlockd.patch
+security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list