[meta-virtualization] [warrior][PATCH] libvirt: Five security fixes
Armin Kuster
akuster808 at gmail.com
Thu Sep 5 19:52:20 PDT 2019
From: Armin Kuster <akuster at mvista.com>
Affects <= 4.9.0
This affectively moves sources to tip
Fixes the following cves.
CVE-2019-10132
CVE-2019-10161
CVE-2019-10166
CVE-2019-10167
CVE-2019-10168
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../libvirt/libvirt/CVE-2019-10132_p1.patch | 63 +++++++++++++
.../libvirt/libvirt/CVE-2019-10132_p2.patch | 55 +++++++++++
.../libvirt/libvirt/CVE-2019-10132_p3.patch | 55 +++++++++++
.../libvirt/libvirt/CVE-2019-10161.patch | 101 +++++++++++++++++++++
.../libvirt/libvirt/CVE-2019-10166.patch | 43 +++++++++
.../libvirt/libvirt/CVE-2019-10167.patch | 41 +++++++++
.../libvirt/libvirt/CVE-2019-10168.patch | 49 ++++++++++
recipes-extended/libvirt/libvirt_4.9.0.bb | 7 ++
8 files changed, 414 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
new file mode 100644
index 0000000..1f958fa
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
@@ -0,0 +1,63 @@
+From b0f788c2d3d9930015258a7df95dde80a498e657 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange at redhat.com>
+Date: Tue, 30 Apr 2019 17:26:13 +0100
+Subject: [PATCH 1/7] admin: reject clients unless their UID matches the
+ current UID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The admin protocol RPC messages are only intended for use by the user
+running the daemon. As such they should not be allowed for any client
+UID that does not match the server UID.
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko at redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132 patch #1
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
+index b78ff90..9f25813 100644
+--- a/src/admin/admin_server_dispatch.c
++++ b/src/admin/admin_server_dispatch.c
+@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
+ void *opaque)
+ {
+ struct daemonAdmClientPrivate *priv;
++ uid_t clientuid;
++ gid_t clientgid;
++ pid_t clientpid;
++ unsigned long long timestamp;
++
++ if (virNetServerClientGetUNIXIdentity(client,
++ &clientuid,
++ &clientgid,
++ &clientpid,
++ ×tamp) < 0)
++ return NULL;
++
++ VIR_DEBUG("New client pid %lld uid %lld",
++ (long long)clientpid,
++ (long long)clientuid);
++
++ if (geteuid() != clientuid) {
++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
++ (long long)clientpid,
++ (long long)clientuid);
++ return NULL;
++ }
+
+ if (VIR_ALLOC(priv) < 0)
+ return NULL;
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
new file mode 100644
index 0000000..2fffe14
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
@@ -0,0 +1,55 @@
+From ea014c9fcf19539c75a7cb6926b14858426746a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange at redhat.com>
+Date: Tue, 30 Apr 2019 16:51:37 +0100
+Subject: [PATCH 2/7] locking: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlockd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko at redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132 patch #2
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+---
+ src/locking/virtlockd-admin.socket.in | 1 +
+ src/locking/virtlockd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
+index 2a7500f..f674c49 100644
+--- a/src/locking/virtlockd-admin.socket.in
++++ b/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
+index 45e0f20..d701b27 100644
+--- a/src/locking/virtlockd.socket.in
++++ b/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
new file mode 100644
index 0000000..0cb0005
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
@@ -0,0 +1,55 @@
+From a474f18dceed61d562508980999e5f2d7445d683 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange at redhat.com>
+Date: Tue, 30 Apr 2019 17:27:41 +0100
+Subject: [PATCH 3/7] logging: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlogd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko at redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132 patch #3
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+---
+ src/logging/virtlogd-admin.socket.in | 1 +
+ src/logging/virtlogd.socket.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
+index 595e6c4..5c41dfe 100644
+--- a/src/logging/virtlogd-admin.socket.in
++++ b/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
+index 22b9360..ae48cda 100644
+--- a/src/logging/virtlogd.socket.in
++++ b/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
++SocketMode=0600
+
+ [Install]
+ WantedBy=sockets.target
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
new file mode 100644
index 0000000..72e69a8
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
@@ -0,0 +1,101 @@
+From 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 08:47:42 +0200
+Subject: [PATCH 4/7] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner at suse.de>
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+
+Conflicts:
+ src/libvirt-domain.c
+ src/remote/remote_protocol.x
+
+Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+alias for VIR_DOMAIN_XML_SECURE is not backported.
+Just skip the commit since we now disallow the whole API on read-only
+connections, regardless of the flag.
+
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-19161
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+---
+ src/libvirt-domain.c | 11 ++---------
+ src/qemu/qemu_driver.c | 2 +-
+ src/remote/remote_protocol.x | 3 +--
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 7690339..c188239 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+ * previously by virDomainSave() or virDomainSaveFlags().
+ *
+ * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections. For this API, @flags should not contain either
+- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
++ * VIR_DOMAIN_XML_SECURE.
+ *
+ * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+ * error. The caller must free() the returned value.
+@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(file, error);
+-
+- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+- _("virDomainSaveImageGetXMLDesc with secure flag"));
+- goto error;
+- }
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainSaveImageGetXMLDesc) {
+ char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index a52e249..f7656e5 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -6798,7 +6798,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+ if (fd < 0)
+ goto cleanup;
+
+- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+ goto cleanup;
+
+ ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 28c8feb..52b9233 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+ /**
+ * @generate: both
+ * @priority: high
+- * @acl: domain:read
+- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
new file mode 100644
index 0000000..6305ffd
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
@@ -0,0 +1,43 @@
+From 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 09:14:53 +0200
+Subject: [PATCH 5/7] api: disallow virDomainManagedSaveDefineXML on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner at suse.de>
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-19166
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index c188239..d8b64c0 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9490,6 +9490,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+
+ virCheckDomainReturn(domain, -1);
+ conn = domain->conn;
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->domainManagedSaveDefineXML) {
+ int ret;
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
new file mode 100644
index 0000000..abca309
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
@@ -0,0 +1,41 @@
+From 6452b9fdff7988024a6157ca0a973ac3abf54468 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 09:16:14 +0200
+Subject: [PATCH 6/7] api: disallow virConnectGetDomainCapabilities on
+ read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-19167
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index d8b64c0..1e1c4e3 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11282,6 +11282,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+ virResetLastError();
+
+ virCheckConnectReturn(conn, NULL);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectGetDomainCapabilities) {
+ char *ret;
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
new file mode 100644
index 0000000..2211238
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
@@ -0,0 +1,49 @@
+From dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko at redhat.com>
+Date: Fri, 14 Jun 2019 09:17:39 +0200
+Subject: [PATCH 7/7] api: disallow virConnect*HypervisorCPU on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
+Signed-off-by: Ján Tomko <jtomko at redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-19168
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee..2978825 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+ virCheckNonNullArgGoto(xmlCPU, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectCompareHypervisorCPU) {
+ int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+
+ virCheckConnectReturn(conn, NULL);
+ virCheckNonNullArgGoto(xmlCPUs, error);
++ virCheckReadOnlyGoto(conn->flags, error);
+
+ if (conn->driver->connectBaselineHypervisorCPU) {
+ char *cpu;
+--
+2.7.4
+
diff --git a/recipes-extended/libvirt/libvirt_4.9.0.bb b/recipes-extended/libvirt/libvirt_4.9.0.bb
index 813d95e..db5a4f9 100644
--- a/recipes-extended/libvirt/libvirt_4.9.0.bb
+++ b/recipes-extended/libvirt/libvirt_4.9.0.bb
@@ -36,6 +36,13 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \
file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \
file://hook_support.py \
+ file://CVE-2019-10132_p1.patch \
+ file://CVE-2019-10132_p2.patch \
+ file://CVE-2019-10132_p3.patch \
+ file://CVE-2019-10161.patch \
+ file://CVE-2019-10166.patch \
+ file://CVE-2019-10167.patch \
+ file://CVE-2019-10168.patch \
"
SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9"
--
2.7.4
More information about the meta-virtualization
mailing list