[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/sid] 3 commits: Fix multiple CVEs related to privilege escalations on R/O connections
Guido Günther
gitlab at salsa.debian.org
Fri Jun 21 14:20:10 BST 2019
Guido Günther pushed to branch debian/sid at Libvirt Packaging Team / libvirt
Commits:
0fdc2afd by Guido Günther at 2019-06-17T16:39:29Z
Fix multiple CVEs related to privilege escalations on R/O connections
CVE-2019-10161: CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
CVE-2019-10166: api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
CVE-2019-10167: api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
CVE-2019-10168: api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
- - - - -
a7f17df1 by Guido Günther at 2019-06-18T16:19:20Z
Include /etc/pki/qemu in apparmor
Closes: #930100
- - - - -
c25df30b by Guido Günther at 2019-06-18T16:19:20Z
Document changes and release 5.0.0-4
- - - - -
7 changed files:
- debian/changelog
- + debian/patches/Include-etc-pki-qemu-in-apparmor.patch
- + debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
- + debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
- + debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
- + debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+libvirt (5.0.0-4) unstable; urgency=medium
+
+ * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
+ connections.
+ - CVE-2019-10161:
+ CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
+ - CVE-2019-10166:
+ api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
+ - CVE-2019-10167:
+ api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
+ - CVE-2019-10168:
+ api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
+ * Include /etc/pki/qemu in apparmor (Closes: #930100)
+
+ -- Guido Günther <agx at sigxcpu.org> Mon, 17 Jun 2019 19:05:40 +0200
+
libvirt (5.0.0-3) unstable; urgency=medium
[ Guido Günther ]
=====================================
debian/patches/Include-etc-pki-qemu-in-apparmor.patch
=====================================
@@ -0,0 +1,26 @@
+From: Sam Hartman <hartmans at debian.org>
+Date: Tue, 18 Jun 2019 09:02:09 -0400
+Subject: Include /etc/pki/qemu in apparmor
+
+We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
+apparmor profile. However the default tls directory in qemu.conf that
+we ship is /etc/pki/qemu. So permit that as well.
+
+Closes: #930100
+---
+ src/security/apparmor/libvirt-qemu | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
+index eaa5167..0659cda 100644
+--- a/src/security/apparmor/libvirt-qemu
++++ b/src/security/apparmor/libvirt-qemu
+@@ -93,6 +93,8 @@
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
++ /etc/pki/qemu/ r,
++ /etc/pki/qemu/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
=====================================
debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
=====================================
@@ -0,0 +1,79 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Mon, 17 Jun 2019 18:20:15 +0200
+Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on
+ read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This is a backport of
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner at suse.de>
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+---
+ src/libvirt-domain.c | 9 ++-------
+ src/qemu/qemu_driver.c | 2 +-
+ src/remote/remote_protocol.x | 3 +--
+ 3 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 9aca54a..6a5fff9 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+ * previously by virDomainSave() or virDomainSaveFlags().
+ *
+ * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections. For this API, @flags should not contain either
++ * VIR_DOMAIN_XML_SECURE; For this API, @flags should not contain either
+ * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ *
+ * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+@@ -1092,11 +1091,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(file, error);
+
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+- _("virDomainSaveImageGetXMLDesc with secure flag"));
+- goto error;
+- }
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainSaveImageGetXMLDesc) {
+ char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1d96170..fb417ad 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -7084,7 +7084,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+ if (fd < 0)
+ goto cleanup;
+
+- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+ goto cleanup;
+
+ ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 1246df5..5cfb8b6 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5234,8 +5234,7 @@ enum remote_procedure {
+ /**
+ * @generate: both
+ * @priority: high
+- * @acl: domain:read
+- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+
=====================================
debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
=====================================
@@ -0,0 +1,36 @@
+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 10:37:34 +0200
+Subject: api: disallow virConnect*HypervisorCPU on read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee..2978825 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+ virCheckNonNullArgGoto(xmlCPU, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectCompareHypervisorCPU) {
+ int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(xmlCPUs, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectBaselineHypervisorCPU) {
+ char *cpu;
=====================================
debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
=====================================
@@ -0,0 +1,29 @@
+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 10:37:33 +0200
+Subject: api: disallow virConnectGetDomainCapabilities on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 3d198d2..9b10790 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11361,6 +11361,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+ virResetLastError();
+
+ virCheckConnectReturn(conn, NULL);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectGetDomainCapabilities) {
+ char *ret;
=====================================
debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
=====================================
@@ -0,0 +1,30 @@
+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 10:37:32 +0200
+Subject: api: disallow virDomainManagedSaveDefineXML on read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner at suse.de>
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 6a5fff9..3d198d2 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9567,6 +9567,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+
+ virCheckDomainReturn(domain, -1);
+ conn = domain->conn;
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainManagedSaveDefineXML) {
+ int ret;
=====================================
debian/patches/series
=====================================
@@ -29,3 +29,8 @@ security/cpu_map-Define-md-clear-CPUID-bit.patch
security/admin-reject-clients-unless-their-UID-matches-the-current.patch
security/locking-restrict-sockets-to-mode-0600.patch
security/logging-restrict-sockets-to-mode-0600.patch
+security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
+security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
+security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
+security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
+Include-etc-pki-qemu-in-apparmor.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/8d78b96fa5328ac5ac7829476d9f444ee8aec779...c25df30b057d3633f54e0f4935ab1d4116ff457f
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/compare/8d78b96fa5328ac5ac7829476d9f444ee8aec779...c25df30b057d3633f54e0f4935ab1d4116ff457f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20190621/330762ab/attachment-0001.html>
More information about the Pkg-libvirt-commits
mailing list