[meta-virtualization] [thud][PATCH] libvirt: Security fix CVE-2019-3840
Bruce Ashfield
bruce.ashfield at gmail.com
Mon Jun 3 13:06:29 PDT 2019
merged to thud.
Bruce
On Sat, Jun 1, 2019 at 1:15 AM Armin Kuster <akuster808 at gmail.com> wrote:
>
> From: Armin Kuster <akuster at mvista.com>
>
> Source: https://libvirt.org
> MR: 97512
> Type: Security Fix
> Disposition: Backport from https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377
> ChangeID: 6c662c67dd3cf6e0eba493b7b619db35f2e07d93
> Description:
>
> Fixes CVE-2019-3840
>
> Signed-off-by: Armin Kuster <akuster at mvista.com>
> ---
> .../libvirt/libvirt/CVE-2019-3840.patch | 39 ++++++++++++++++++++++
> recipes-extended/libvirt/libvirt_4.7.0.bb | 1 +
> 2 files changed, 40 insertions(+)
> create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
>
> diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch b/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
> new file mode 100644
> index 0000000..8cca821
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
> @@ -0,0 +1,39 @@
> +From 9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377 Mon Sep 17 00:00:00 2001
> +From: John Ferlan <jferlan at redhat.com>
> +Date: Fri, 7 Sep 2018 16:01:27 -0400
> +Subject: [PATCH] qemu: Remove duplicated qemuAgentCheckError
> +
> +Commit 5b3492fadb moved qemuAgentCheckError calls into
> +qemuAgentCommand for various reasons; however, subsequent
> +commit 0977b8aa0 adding a new command made call again
> +So let's just remove the duplicitous call from
> +qemuAgentGetInterfaces.
> +
> +Signed-off-by: John Ferlan <jferlan at redhat.com>
> +ACKed-by: Michal Privoznik <mprivozn at redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2019-3840
> +Signed-off-by: Armin Kuster <akuster at mvista.com>
> +
> +---
> + src/qemu/qemu_agent.c | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +Index: libvirt-4.7.0/src/qemu/qemu_agent.c
> +===================================================================
> +--- libvirt-4.7.0.orig/src/qemu/qemu_agent.c
> ++++ libvirt-4.7.0/src/qemu/qemu_agent.c
> +@@ -1987,10 +1987,9 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
> + if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))
> + goto cleanup;
> +
> +- if (qemuAgentCommand(mon, cmd, &reply, false, VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0 ||
> +- qemuAgentCheckError(cmd, reply) < 0) {
> ++ if (qemuAgentCommand(mon, cmd, &reply, false,
> ++ VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)
> + goto cleanup;
> +- }
> +
> + if (!(ret_array = virJSONValueObjectGet(reply, "return"))) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> diff --git a/recipes-extended/libvirt/libvirt_4.7.0.bb b/recipes-extended/libvirt/libvirt_4.7.0.bb
> index 5136798..270dc72 100644
> --- a/recipes-extended/libvirt/libvirt_4.7.0.bb
> +++ b/recipes-extended/libvirt/libvirt_4.7.0.bb
> @@ -36,6 +36,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
> file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \
> file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \
> file://lxc_monitor-Avoid-AB-BA-lock-race.patch \
> + file://CVE-2019-3840.patch \
> "
>
> SRC_URI[libvirt.md5sum] = "38da6c33250dcbc0a6d68de5c758262b"
> --
> 2.7.4
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
More information about the meta-virtualization
mailing list