[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/stretch] 3 commits: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
Guido Günther
gitlab at salsa.debian.org
Wed Jun 12 09:34:29 BST 2019
Guido Günther pushed to branch debian/stretch at Libvirt Packaging Team / libvirt
Commits:
16bc38cf by Guido Günther at 2018-03-12T18:10:48Z
CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
- - - - -
4c9a1f4a by Guido Günther at 2018-03-12T18:11:44Z
CVE-2018-6764: virlog: determine the hostname on startup
- - - - -
4116b452 by Guido Günther at 2018-03-13T15:22:07Z
Document changes and release 3.0.0-4+deb9u3
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
- + debian/patches/security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
+
+ * gbp: switch branch to stretch
+ * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
+ * CVE-2018-6764: virlog: determine the hostname on startup
+ (Closes: #889839)
+
+ -- Guido Günther <agx at sigxcpu.org> Mon, 12 Mar 2018 19:11:51 +0100
+
libvirt (3.0.0-4+deb9u2) stretch; urgency=medium
* CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
=====================================
debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
=====================================
@@ -0,0 +1,55 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
+Date: Thu, 1 Mar 2018 14:55:26 +0000
+Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest
+ agent
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: base64
+
+V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh
+dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt
+c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh
+dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl
+IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu
+b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg
+ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0
+OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50
+IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n
+w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg==
+---
+ src/qemu/qemu_agent.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
+index 46cad53..da07bf2 100644
+--- a/src/qemu/qemu_agent.c
++++ b/src/qemu/qemu_agent.c
+@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)
++
+ /* When you are the first to uncomment this,
+ * don't forget to uncomment the corresponding
+ * part in qemuAgentIOProcessEvent as well.
+@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)
+ int ret = 0;
+
+ if (avail < 1024) {
++ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {
++ virReportSystemError(ERANGE,
++ _("No complete agent response found in %d bytes"),
++ QEMU_AGENT_MAX_RESPONSE);
++ return -1;
++ }
+ if (VIR_REALLOC_N(mon->buffer,
+ mon->bufferLength + 1024) < 0)
+ return -1;
=====================================
debian/patches/security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch
=====================================
@@ -0,0 +1,90 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Mon, 12 Mar 2018 19:11:23 +0100
+Subject: CVE-2018-6764: virlog: determine the hostname on startup
+
+At later point it might not be possible or even safe to use getaddrinfo(). It
+can in turn result in a load of NSS module.
+
+(cherry picked from commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
+ cherry picked from commit 6ce3acc129bfdbe7fd02bcb8bbe8af6d13903684
+ cherry picked from commit c2dc6698c88fb591639e542c8ecb0076c54f3dfb)
+---
+ cfg.mk | 2 +-
+ src/util/virlog.c | 27 +++++++++++++++++++--------
+ 2 files changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/cfg.mk b/cfg.mk
+index 69e3f3a..e710a05 100644
+--- a/cfg.mk
++++ b/cfg.mk
+@@ -1144,7 +1144,7 @@ _src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|loggin
+ exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
+ (^($(_src2)|tests/testutils|daemon/libvirtd)\.c$$)
+
+-exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/virutil\.c$$
++exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/vir(util|log)\.c$$
+
+ exclude_file_name_regexp--sc_prohibit_internal_functions = \
+ ^src/(util/(viralloc|virutil|virfile)\.[hc]|esx/esx_vi\.c)$$
+diff --git a/src/util/virlog.c b/src/util/virlog.c
+index 7b584f8..4e33d38 100644
+--- a/src/util/virlog.c
++++ b/src/util/virlog.c
+@@ -63,6 +63,7 @@
+ VIR_LOG_INIT("util.log");
+
+ static regex_t *virLogRegex;
++static char virLogHostname[HOST_NAME_MAX+1];
+
+
+ #define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
+@@ -259,6 +260,8 @@ virLogPriorityString(virLogPriority lvl)
+ static int
+ virLogOnceInit(void)
+ {
++ int r;
++
+ if (virMutexInit(&virLogMutex) < 0)
+ return -1;
+
+@@ -270,6 +273,21 @@ virLogOnceInit(void)
+ VIR_FREE(virLogRegex);
+ }
+
++ /* We get and remember the hostname early, because at later time
++ * it might not be possible to load NSS modules via getaddrinfo()
++ * (e.g. at container startup the host filesystem will not be
++ * accessible anymore.
++ * Must not use virGetHostname though as that causes re-entrancy
++ * problems if it triggers logging codepaths
++ */
++ r = gethostname(virLogHostname, sizeof(virLogHostname));
++ if (r == -1) {
++ ignore_value(virStrcpy(virLogHostname,
++ "(unknown)", sizeof(virLogHostname)));
++ } else {
++ NUL_TERMINATE(virLogHostname);
++ }
++
+ virLogUnlock();
+ return 0;
+ }
+@@ -465,17 +483,10 @@ static int
+ virLogHostnameString(char **rawmsg,
+ char **msg)
+ {
+- char *hostname = virGetHostnameQuiet();
+ char *hoststr;
+
+- if (!hostname)
+- return -1;
+-
+- if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
+- VIR_FREE(hostname);
++ if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0)
+ return -1;
+- }
+- VIR_FREE(hostname);
+
+ if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
+ VIR_FREE(hoststr);
=====================================
debian/patches/series
=====================================
@@ -25,3 +25,5 @@ qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
+security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/3539abc28a7a57284afc9bdfcbbedad0edc6aac0...4116b45206c1c3179ed09e1bcf8784c90872352d
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/3539abc28a7a57284afc9bdfcbbedad0edc6aac0...4116b45206c1c3179ed09e1bcf8784c90872352d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20190612/862a427b/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list