[Pkg-libvirt-commits] [libvirt] 01/02: CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate
Guido Guenther
agx at moszumanska.debian.org
Thu Oct 19 17:43:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to annotated tag debian/3.0.0-4+deb9u1
in repository libvirt.
commit 4417217e1bbc992a60b48a5ef0ded970b8e4ff9d
Author: Guido Günther <agx at sigxcpu.org>
Date: Mon Oct 16 22:46:43 2017 +0200
CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate
Closes: #878799
---
...clients-always-verify-the-server-certific.patch | 71 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 72 insertions(+)
diff --git a/debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch b/debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
new file mode 100644
index 0000000..26b2327
--- /dev/null
+++ b/debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
@@ -0,0 +1,71 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256 / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake at redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c | 2 +-
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index d459f8e..f2c18f1 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -729,7 +729,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+ if (virJSONValueObjectCreate(propsret,
+ "s:dir", path,
+ "s:endpoint", (isListen ? "server": "client"),
+- "b:verify-peer", verifypeer,
++ "b:verify-peer", (isListen ? verifypeer : true),
+ NULL) < 0)
+ goto cleanup;
+
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index b456cce..003d11d 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 7f9fedb..a020ff0 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
diff --git a/debian/patches/series b/debian/patches/series
index accd2ed..64cdf94 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ debian/Debianize-virtlogd.patch
CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch
apparmor-allow-usr-lib-qemu-qemu-bridge-helper.patch
qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
+security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list