[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/jessie-backports] 8 commits: CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate
Guido Günther
gitlab at salsa.debian.org
Thu Mar 22 07:52:03 UTC 2018
Guido Günther pushed to branch debian/jessie-backports at Libvirt Packaging Team / libvirt
Commits:
4417217e by Guido Günther at 2017-10-16T22:51:30+02:00
CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate
Closes: #878799
- - - - -
4b53b1fd by Guido Günther at 2017-10-19T11:40:45+02:00
Document changes and release 3.0.0-4+deb9u1
- - - - -
a6888799 by Guido Günther at 2017-12-01T19:13:58+01:00
qemu: shared disks with cache=directsync should be safe for migration
Closes: #883208
Thanks: Carsten Burkhardt
- - - - -
37aa7f09 by Guido Günther at 2018-01-20T17:51:31+01:00
CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
Closes: #887700
- - - - -
1fc27b65 by Guido Günther at 2018-01-20T18:24:07+01:00
Document changes and release 3.0.0-4+deb9u2
- - - - -
5a033cbf by Gaudenz Steinlin at 2018-03-19T09:07:31+01:00
Merge tag 'debian/3.0.0-4+deb9u2' into debian/jessie-backports
libvirt Debian release 3.0.0-4+deb9u2
- - - - -
009a88f5 by Gaudenz Steinlin at 2018-03-19T09:09:34+01:00
Update changelog for version 3.0.0-4+deb9u2~bpo8+1
- - - - -
b485486c by Guido Günther at 2018-03-22T07:51:53+00:00
Merge branch 'debian/jessie-backports' into 'debian/jessie-backports'
Update jessie backport to version currently in stretch
See merge request libvirt-team/libvirt!1
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
- + debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
- + debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
+libvirt (3.0.0-4+deb9u2~bpo8+1) jessie-backports; urgency=medium
+
+ * Rebuild for jessie-backports.
+
+ -- Gaudenz Steinlin <gaudenz at debian.org> Mon, 19 Mar 2018 09:08:45 +0100
+
+libvirt (3.0.0-4+deb9u2) stretch; urgency=medium
+
+ * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
+ (Closes: #887700)
+ * qemu: shared disks with cache=directsync should be safe for migration.
+ Thanks to Carsten Burkhardt (Closes: #883208)
+
+ -- Guido Günther <agx at sigxcpu.org> Sat, 20 Jan 2018 17:51:39 +0100
+
+libvirt (3.0.0-4+deb9u1) stretch-security; urgency=high
+
+ * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
+ certificate (Closes: #878799)
+
+ -- Guido Günther <agx at sigxcpu.org> Mon, 16 Oct 2017 22:48:55 +0200
+
libvirt (3.0.0-4~bpo8+1) jessie-backports; urgency=medium
* Rebuild for jessie-backports.
=====================================
debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
=====================================
--- /dev/null
+++ b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
@@ -0,0 +1,49 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Tue, 16 Jan 2018 17:00:11 +0000
+Subject: qemu: avoid denial of service reading from QEMU monitor
+ (CVE-2018-5748)
+
+We read from QEMU until seeing a \r\n pair to indicate a completed reply
+or event. To avoid memory denial-of-service though, we must have a size
+limit on amount of data we buffer. 10 MB is large enough that it ought
+to cope with normal QEMU replies, and small enough that we're not
+consuming unreasonable mem.
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+---
+ src/qemu/qemu_monitor.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 1610ae3..86ce2d1 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
++
+ struct _qemuMonitor {
+ virObjectLockable parent;
+
+@@ -565,6 +574,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
+ int ret = 0;
+
+ if (avail < 1024) {
++ if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
++ virReportSystemError(ERANGE,
++ _("No complete monitor response found in %d bytes"),
++ QEMU_MONITOR_MAX_RESPONSE);
++ return -1;
++ }
+ if (VIR_REALLOC_N(mon->buffer,
+ mon->bufferLength + 1024) < 0)
+ return -1;
=====================================
debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
=====================================
--- /dev/null
+++ b/debian/patches/qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
@@ -0,0 +1,41 @@
+From: Hao Peng <peng.hao2 at zte.com.cn>
+Date: Sat, 15 Jul 2017 23:01:25 +0800
+Subject: qemu: shared disks with cache=directsync should be safe for
+ migration
+
+At present shared disks can be migrated with either readonly or cache=none. But
+cache=directsync should be safe for migration, because both cache=directsync and cache=none
+don't use the host page cache, and cache=direct write through qemu block layer cache.
+
+Signed-off-by: Peng Hao <peng.hao2 at zte.com.cn>
+Reviewed-by: Wang Yechao <wang.yechao255 at zte.com.cn>
+---
+ src/qemu/qemu_migration.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index 0f4a6cf..dba5897 100644
+--- a/src/qemu/qemu_migration.c
++++ b/src/qemu/qemu_migration.c
+@@ -2375,9 +2375,10 @@ qemuMigrationIsSafe(virDomainDefPtr def,
+ const char *src = virDomainDiskGetSource(disk);
+
+ /* Our code elsewhere guarantees shared disks are either readonly (in
+- * which case cache mode doesn't matter) or used with cache=none */
++ * which case cache mode doesn't matter) or used with cache=none or used with cache=directsync */
+ if (qemuMigrateDisk(disk, nmigrate_disks, migrate_disks) &&
+- disk->cachemode != VIR_DOMAIN_DISK_CACHE_DISABLE) {
++ disk->cachemode != VIR_DOMAIN_DISK_CACHE_DISABLE &&
++ disk->cachemode != VIR_DOMAIN_DISK_CACHE_DIRECTSYNC) {
+ int rc;
+
+ if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_FILE) {
+@@ -2396,7 +2397,7 @@ qemuMigrationIsSafe(virDomainDefPtr def,
+
+ virReportError(VIR_ERR_MIGRATE_UNSAFE, "%s",
+ _("Migration may lead to data corruption if disks"
+- " use cache != none"));
++ " use cache != none or cache != directsync"));
+ return false;
+ }
+ }
=====================================
debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
=====================================
--- /dev/null
+++ b/debian/patches/security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
@@ -0,0 +1,71 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256 / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake at redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c | 2 +-
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index d459f8e..f2c18f1 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -729,7 +729,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+ if (virJSONValueObjectCreate(propsret,
+ "s:dir", path,
+ "s:endpoint", (isListen ? "server": "client"),
+- "b:verify-peer", verifypeer,
++ "b:verify-peer", (isListen ? verifypeer : true),
+ NULL) < 0)
+ goto cleanup;
+
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index b456cce..003d11d 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 7f9fedb..a020ff0 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,6 @@ debian/Debianize-virtlogd.patch
CVE-2017-2635-qemu-Don-t-update-physical-storage-size-of-.patch
apparmor-allow-usr-lib-qemu-qemu-bridge-helper.patch
qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
+security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
+qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
+qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/0647ed98085a427a34ae421ef80c1247749376f9...b485486c8be18d1180d21505f781417ad1f0e348
---
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/0647ed98085a427a34ae421ef80c1247749376f9...b485486c8be18d1180d21505f781417ad1f0e348
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-commits/attachments/20180322/d099a306/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list