[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/sid] 2 commits: CVE-2019-3886: Don't allow unprivileged users to use the guest agent
Guido Günther
gitlab at salsa.debian.org
Sun Apr 7 12:05:27 BST 2019
Guido Günther pushed to branch debian/sid at Libvirt Packaging Team / libvirt
Commits:
790365e4 by Guido Günther at 2019-04-07T10:36:03Z
CVE-2019-3886: Don't allow unprivileged users to use the guest agent
Apply upstream patches
remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
api-disallow-virDomainGetHostname-for-read-only-connectio.patch
Closes: #926418
- - - - -
e8858268 by Guido Günther at 2019-04-07T10:52:21Z
Document changes and release 5.0.0-2
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch
- + debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,34 @@
+libvirt (5.0.0-2) unstable; urgency=medium
+
+ [ Laurent Bigonville ]
+ * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now.
+ (Closes: #918472)
+
+ [ intrigeri ]
+ * [d7a7218] Fix virtio-gpu + virgl support by cherry-picking upstream
+ commits virt-manager in current sid still creates new VMs with QXL
+ graphics by default, so this bug only affects users who opt in for
+ virtio-gpu 3D acceleration. Still, the option for virtio-gpu + 3D
+ acceleration is offered in the virt-manager GUI, so having it broken by
+ default is an important problem.
+ (Closes: #916587)
+
+ [ Christian Ehrhardt ]
+ * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile
+ /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in
+ libvirt 5.0 (Closes: #920574)
+ * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts
+ example (Closes: #921713)
+
+ [ Guido Günther ]
+ * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest
+ agent. Apply upstream patches
+ remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
+ api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+ (Closes: #926418)
+
+ -- Guido Günther <agx at sigxcpu.org> Sun, 07 Apr 2019 12:36:21 +0200
+
libvirt (5.0.0-1) unstable; urgency=medium
* [7346f30] New upstream version 5.0.0
=====================================
debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch
=====================================
@@ -0,0 +1,30 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
+Date: Wed, 3 Apr 2019 15:00:49 +0100
+Subject: api: disallow virDomainGetHostname for read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+The virDomainGetHostname API is fetching guest information and this may
+involve use of an untrusted guest agent. As such its use must be
+forbidden on a read-only connection to libvirt.
+
+Fixes CVE-2019-3886
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+---
+ src/libvirt-domain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 75c9014..9aca54a 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11028,6 +11028,8 @@ virDomainGetHostname(virDomainPtr domain, unsigned int flags)
+ virCheckDomainReturn(domain, NULL);
+ conn = domain->conn;
+
++ virCheckReadOnlyGoto(domain->conn->flags, error);
++
+ if (conn->driver->domainGetHostname) {
+ char *ret;
+ ret = conn->driver->domainGetHostname(domain, flags);
=====================================
debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
=====================================
@@ -0,0 +1,40 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
+Date: Wed, 3 Apr 2019 15:00:50 +0100
+Subject: remote: enforce ACL write permission for getting guest time &
+ hostname
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Getting the guest time and hostname both require use of guest agent
+commands. These must not be allowed for read-only users, so the
+permissions check must validate "write" permission not "read".
+
+Fixes CVE-2019-3886
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+---
+ src/remote/remote_protocol.x | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index b9d26b1..1246df5 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5505,7 +5505,7 @@ enum remote_procedure {
+
+ /**
+ * @generate: both
+- * @acl: domain:read
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
+
+@@ -5900,7 +5900,7 @@ enum remote_procedure {
+
+ /**
+ * @generate: none
+- * @acl: domain:read
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_GET_TIME = 337,
+
=====================================
debian/patches/series
=====================================
@@ -19,3 +19,5 @@ security-aa-helper-allow-virt-aa-helper-to-read-dev-dri.patch
security-aa-helper-generate-more-rules-for-gl-devices.patch
security-aa-helper-nvidia-rules-for-gl-devices.patch
security-aa-helper-gl-devices-in-sysfs-at-arbitrary-depth.patch
+api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/e6a409f48fb41f059f7a65981880d3ff9a856b17...e8858268c7c07fd7d28262bc5c39ac587ef428d7
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/e6a409f48fb41f059f7a65981880d3ff9a856b17...e8858268c7c07fd7d28262bc5c39ac587ef428d7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20190407/3a1febcd/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list