[meta-virtualization] [thud][PATCH] libvirt: Security fix CVE-2019-3840
Armin Kuster
akuster808 at gmail.com
Fri May 31 22:14:52 PDT 2019
From: Armin Kuster <akuster at mvista.com>
Source: https://libvirt.org
MR: 97512
Type: Security Fix
Disposition: Backport from https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377
ChangeID: 6c662c67dd3cf6e0eba493b7b619db35f2e07d93
Description:
Fixes CVE-2019-3840
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libvirt/libvirt/CVE-2019-3840.patch | 39 ++++++++++++++++++++++
recipes-extended/libvirt/libvirt_4.7.0.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch b/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
new file mode 100644
index 0000000..8cca821
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-3840.patch
@@ -0,0 +1,39 @@
+From 9ed175fbc2deecfdaeabca7bc77c7e7ae33a3377 Mon Sep 17 00:00:00 2001
+From: John Ferlan <jferlan at redhat.com>
+Date: Fri, 7 Sep 2018 16:01:27 -0400
+Subject: [PATCH] qemu: Remove duplicated qemuAgentCheckError
+
+Commit 5b3492fadb moved qemuAgentCheckError calls into
+qemuAgentCommand for various reasons; however, subsequent
+commit 0977b8aa0 adding a new command made call again
+So let's just remove the duplicitous call from
+qemuAgentGetInterfaces.
+
+Signed-off-by: John Ferlan <jferlan at redhat.com>
+ACKed-by: Michal Privoznik <mprivozn at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-3840
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/qemu/qemu_agent.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+Index: libvirt-4.7.0/src/qemu/qemu_agent.c
+===================================================================
+--- libvirt-4.7.0.orig/src/qemu/qemu_agent.c
++++ libvirt-4.7.0/src/qemu/qemu_agent.c
+@@ -1987,10 +1987,9 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
+ if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL)))
+ goto cleanup;
+
+- if (qemuAgentCommand(mon, cmd, &reply, false, VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0 ||
+- qemuAgentCheckError(cmd, reply) < 0) {
++ if (qemuAgentCommand(mon, cmd, &reply, false,
++ VIR_DOMAIN_QEMU_AGENT_COMMAND_BLOCK) < 0)
+ goto cleanup;
+- }
+
+ if (!(ret_array = virJSONValueObjectGet(reply, "return"))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
diff --git a/recipes-extended/libvirt/libvirt_4.7.0.bb b/recipes-extended/libvirt/libvirt_4.7.0.bb
index 5136798..270dc72 100644
--- a/recipes-extended/libvirt/libvirt_4.7.0.bb
+++ b/recipes-extended/libvirt/libvirt_4.7.0.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \
file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \
file://lxc_monitor-Avoid-AB-BA-lock-race.patch \
+ file://CVE-2019-3840.patch \
"
SRC_URI[libvirt.md5sum] = "38da6c33250dcbc0a6d68de5c758262b"
--
2.7.4
More information about the meta-virtualization
mailing list