[Pkg-libvirt-commits] [libvirt] 03/04: CVE-2014-7823: dumpxml: security hole with migratable flag
Guido Guenther
agx at moszumanska.debian.org
Mon Nov 17 17:55:04 UTC 2014
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to branch master
in repository libvirt.
commit 030fd97c90848cea2d63066a2894df461da22fca
Author: Guido Günther <agx at sigxcpu.org>
Date: Wed Nov 12 08:10:27 2014 +0100
CVE-2014-7823: dumpxml: security hole with migratable flag
Closes: #769149
---
...23-dumpxml-security-hole-with-migratable-.patch | 64 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 65 insertions(+)
diff --git a/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
new file mode 100644
index 0000000..a22a1e3
--- /dev/null
+++ b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
@@ -0,0 +1,64 @@
+From: Eric Blake <eblake at redhat.com>
+Date: Thu, 6 Nov 2014 09:42:24 +0100
+Subject: CVE-2014-7823: dumpxml: security hole with migratable flag
+
+Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+the qemu implementation of virDomainGetXMLDesc, the use of the
+flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+prior to calling qemuDomainFormatXML. However, the use of
+VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+clients only. This patch treats the migratable flag as requiring
+the same permissions, rather than analyzing what might break if
+migratable xml no longer includes secret information.
+
+Fortunately, the information leak is low-risk: all that is gated
+by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+but VNC passwords are already weak (FIPS forbids their use, and
+on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+password sent in plaintext over the network deserves what they
+get). SPICE offers better security than VNC, and all other
+secrets are properly protected by use of virSecret associations
+rather than direct output in domain XML.
+
+* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+Tighten rules on use of migratable flag.
+* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+
+Signed-off-by: Eric Blake <eblake at redhat.com>
+(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
+
+Conflicts:
+ src/libvirt-domain.c - file split from older src/libvirt.c
+Signed-off-by: Eric Blake <eblake at redhat.com>
+---
+ src/libvirt.c | 3 ++-
+ src/remote/remote_protocol.x | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index 245c373..a4e6745 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -4369,7 +4369,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+ virCheckDomainReturn(domain, NULL);
+ conn = domain->conn;
+
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
++ if ((conn->flags & VIR_CONNECT_RO) &&
++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+ virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+ _("virDomainGetXMLDesc with secure flag"));
+ goto error;
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index db12cda..ebf4530 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -3255,6 +3255,7 @@ enum remote_procedure {
+ * @generate: both
+ * @acl: domain:read
+ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+ */
+ REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+
diff --git a/debian/patches/series b/debian/patches/series
index 26e296b..14dcfbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ Skip-vircgrouptest.patch
debian/Use-sensible-editor-as-fallback.patch
debian/Debianize-virtlockd.patch
qemu-use-systemd-s-TerminateMachine-to-kill-all-proc.patch
+security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list