[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#817015: marked as done (jessie-pu: package libvirt/1.2.9-9+deb8u1)

Your message dated Sat, 02 Apr 2016 14:20:04 +0100
with message-id <1459603204.2441.216.camel@adam-barratt.org.uk>
and subject line Fix included in stable
has caused the Debian Bug report #817015,
regarding jessie-pu: package libvirt/1.2.9-9+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
817015: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817015
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Guido asked me to prepare an update for libvirt:
- CVE-2015-5313 is marked 'no-dsa', but should be fixed anyway (#808273)
  Salvatore Bonaccorso (security team) asked me to prepare an update via
  jessie-proposed-updates.
- the SUID bridge-helper in searched in /usr/libexec/, while it realy is
  in /usr/lib/qemu/ (#816602)
While preparing the update I noticed that it FTBFS in my pbuilder
environment, requiring 3 more fixes.

I'm running the binary on my amd64 system without problems: The CVE is
fixed and bridging works again.

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


>From fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326 Mon Sep 17 00:00:00 2001
Message-Id: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 11:57:52 +0100
Subject: [PATCH 1/6] Fix CVE-2015-5313
Organization: Univention GmbH, Bremen, Germany

Patches cherry-picked from upstream

Closes: #808273
---
 ...13-storage-don-t-allow-in-filesystem-volu.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch

diff --git a/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
new file mode 100644
index 0000000..90e9610
--- /dev/null
+++ b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
@@ -0,0 +1,72 @@
+From 034e47c338b13a95cf02106a3af912c1c5f818d7 Mon Sep 17 00:00:00 2001
+Message-Id: <034e47c338b13a95cf02106a3af912c1c5f818d7.1457088964.git.hahn@univention.de>
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume
+ names
+Organization: Univention GmbH, Bremen, Germany
+To: libvir-list@redhat.com
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool.  For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege).  But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+  * storage_backend_fs.c: storage backend for FS and directory handling
+  *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+  * Copyright (C) 2007-2008 Daniel P. Berrange
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -1005,6 +1005,14 @@ virStorageBackendFileSystemVolCreate(vir
+ 
+     vol->type = VIR_STORAGE_VOL_FILE;
+ 
++    /* Volumes within a directory pools are not recursive; do not
++     * allow escape to ../ or a subdir */
++    if (strchr(vol->name, '/')) {
++        virReportError(VIR_ERR_OPERATION_INVALID,
++                       _("volume name '%s' cannot contain '/'"), vol->name);
++        return -1;
++    }
++
+     VIR_FREE(vol->target.path);
+     if (virAsprintf(&vol->target.path, "%s/%s",
+                     pool->def->target.path,
diff --git a/debian/patches/series b/debian/patches/series
index bac1f34..69667f6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
 Allow-access-to-libnl-3-config-files.patch
 Fix-crash-on-live-migration.patch
 upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
-- 
2.1.4


>From 8d6c7c6c781f794f9cfb8fa10be5aa74eeaedbf5 Mon Sep 17 00:00:00 2001
Message-Id: <8d6c7c6c781f794f9cfb8fa10be5aa74eeaedbf5.1457180803.git.hahn@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 13:39:49 +0100
Subject: [PATCH 2/6] FTBFS: automake-1.13 missing
Organization: Univention GmbH, Bremen, Germany

> dh_auto_build -O--builddirectory=.../debian/build -O--parallel
...
>  cd ../.. && /bin/bash .../build-aux/missing automake-1.13 --gnu
> .../build-aux/missing: line 81: automake-1.13: command not found

Run autoreconf through dh-autoreconf
---
 debian/control | 1 +
 debian/rules   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 8b9cd9b..c8cbfe9 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,7 @@ Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.deb
 Uploaders: Guido Günther <agx@sigxcpu.org>, Laurent Léonard <laurent@open-minds.org>
 Build-Depends:
  debhelper (>= 7),
+ dh-autoreconf,
  dh-systemd (>= 1.18~),
  libxml2-dev,
  libncurses5-dev,
diff --git a/debian/rules b/debian/rules
index 6812719..a9ca414 100755
--- a/debian/rules
+++ b/debian/rules
@@ -123,7 +123,7 @@ LOGROTATE = $(basename $(basename $(notdir $(wildcard daemon/libvirtd*.logrotate
 EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
 
 %:
-	dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel
+	dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel --with autoreconf
 
 override_dh_auto_configure:
 	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS)
-- 
2.1.4


>From 6070bbf438f9bad1acda428a1fa982ad99e35db1 Mon Sep 17 00:00:00 2001
Message-Id: <6070bbf438f9bad1acda428a1fa982ad99e35db1.1457180803.git.hahn@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 14:32:52 +0100
Subject: [PATCH 3/6] FTBFS: Disable failing virnetsockettest
Organization: Univention GmbH, Bremen, Germany

> gcc ../../../tests/virnetsockettest.c
> ../../../tests/virnetsockettest.c:336:12: error: 'testSocketCommandNormal' defined but not used [-Werror=unused-function]
>  static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
>             ^
> ../../../tests/virnetsockettest.c:364:12: error: 'testSocketCommandFail' defined but not used [-Werror=unused-function]
>  static int testSocketCommandFail(const void *data ATTRIBUTE_UNUSED)
>             ^
> cc1: all warnings being treated as errors

Use "#if 0" also for those two function definitions.
---
 .../patches/Disable-failing-virnetsockettest.patch   | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/debian/patches/Disable-failing-virnetsockettest.patch b/debian/patches/Disable-failing-virnetsockettest.patch
index 3044ed5..a4d2a3b 100644
--- a/debian/patches/Disable-failing-virnetsockettest.patch
+++ b/debian/patches/Disable-failing-virnetsockettest.patch
@@ -7,11 +7,25 @@ until we debugged the interaction with pbuilder
  tests/virnetsockettest.c | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
-index 5d91f26..1f283a3 100644
 --- a/tests/virnetsockettest.c
 +++ b/tests/virnetsockettest.c
-@@ -501,10 +501,12 @@ mymain(void)
+@@ -333,6 +333,7 @@ static int testSocketUNIXAddrs(const voi
+     return ret;
+ }
+ 
++#if 0
+ static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
+ {
+     virNetSocketPtr csock = NULL; /* Client socket */
+@@ -383,6 +384,7 @@ static int testSocketCommandFail(const v
+     virObjectUnref(csock);
+     return ret;
+ }
++#endif
+ 
+ struct testSSHData {
+     const char *nodename;
+@@ -501,10 +503,12 @@ mymain(void)
      if (virtTestRun("Socket UNIX Addrs", testSocketUNIXAddrs, NULL) < 0)
          ret = -1;
  
-- 
2.1.4


>From e9dd9c308dad6a9b023a4d78719b2761a94e33dc Mon Sep 17 00:00:00 2001
Message-Id: <e9dd9c308dad6a9b023a4d78719b2761a94e33dc.1457180803.git.hahn@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 14:41:06 +0100
Subject: [PATCH 4/6] FTBFS: Fix
 Report-original-error-when-QMP-probing-fails-with-ne.patch
Organization: Univention GmbH, Bremen, Germany

> ../../../tests/qemuhelptest.c
> ../../../tests/qemuhelptest.c: In function 'testHelpStrParsing':
> ../../../tests/qemuhelptest.c:131:1: error: invalid storage class for function 'mymain'
>  mymain(void)
>  ^
> ../../../tests/qemuhelptest.c: In function 'mymain':
> ../../../tests/qemuhelptest.c:133:9: error: declaration of 'ret' shadows a previous local [-Werror=shadow]
>      int ret = 0;
>          ^
> ../../../tests/qemuhelptest.c:47:9: error: shadowed declaration is here [-Werror=shadow]
>      int ret = -1;
>          ^

Remove trailing curly brace in patch without matching closing brace.
---
 .../upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
index 1f6dab7..2adc0db 100644
--- a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+++ b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
@@ -176,7 +176,7 @@ index 975edf3..271fddc 100644
  
      if (virQEMUCapsParseHelpStr("QEMU", help, flags,
 -                                &version, &is_kvm, &kvm_version, false) == -1)
-+                                &version, &is_kvm, &kvm_version, false, NULL) == -1) {
++                                &version, &is_kvm, &kvm_version, false, NULL) == -1)
          goto cleanup;
  
  # ifndef WITH_YAJL
-- 
2.1.4


>From 9e6d9e39a701aa8edce8aa870e0fd72a56508c7d Mon Sep 17 00:00:00 2001
Message-Id: <9e6d9e39a701aa8edce8aa870e0fd72a56508c7d.1457180803.git.hahn@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 11:52:01 +0100
Subject: [PATCH 5/6] libvirt-daemon: Expects qemu-bridge-helper in
 /usr/libexec/
Organization: Univention GmbH, Bremen, Germany

$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so |
grep bridge-helper
/usr/libexec/qemu-bridge-helper

$ dpkg -S bridge-helper
qemu-system-common: /usr/lib/qemu/qemu-bridge-helper

Closes: #816602
---
 debian/README.Debian                               | 12 +++++++
 .../debian/Debianize-bridge-helper-path.patch      | 42 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 55 insertions(+)
 create mode 100644 debian/patches/debian/Debianize-bridge-helper-path.patch

diff --git a/debian/README.Debian b/debian/README.Debian
index 0fa9358..0637b68 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -51,6 +51,18 @@ EOF
 This makes dnsmasq only bind to the loopback interface by default so libvirtd
 can handle the virtual bridges.
 
+Bridged network
+===============
+libvirt can use the qemu-bridge-helper to create bridged network interfaces for
+session domains. For this to work the helper must have the capability to create
+TUN/TAP devices or must have the SUID permission set.
+This can be done by running the following command as the user root:
+
+    setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper
+
+The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For
+each bridge add a line like 'allow br0'.
+
 Access Control
 ==============
 Access to the libvirt managing tasks is controlled by PolicyKit. To ease
diff --git a/debian/patches/debian/Debianize-bridge-helper-path.patch b/debian/patches/debian/Debianize-bridge-helper-path.patch
new file mode 100644
index 0000000..689741e
--- /dev/null
+++ b/debian/patches/debian/Debianize-bridge-helper-path.patch
@@ -0,0 +1,42 @@
+libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+
+$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep bridge-helper
+/usr/libexec/qemu-bridge-helper
+
+$ dpkg -S bridge-helper
+qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
+
+Closes #816602
+--- a/src/qemu/qemu.conf
++++ b/src/qemu/qemu.conf
+@@ -357,7 +357,7 @@
+ # is used to create <source type='bridge'> interfaces when libvirtd is
+ # running unprivileged.  libvirt invokes the helper directly, instead
+ # of using "-netdev bridge", for security reasons.
+-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
++#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
+ 
+ 
+ 
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
+             goto error;
+     }
+ 
+-    if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") < 0)
++    if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/lib/qemu/qemu-bridge-helper") < 0)
+         goto error;
+ 
+     cfg->clearEmulatorCapabilities = true;
+--- a/src/qemu/test_libvirtd_qemu.aug.in
++++ b/src/qemu/test_libvirtd_qemu.aug.in
+@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
+ { "auto_dump_bypass_cache" = "0" }
+ { "auto_start_bypass_cache" = "0" }
+ { "hugetlbfs_mount" = "/dev/hugepages" }
+-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
++{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
+ { "clear_emulator_capabilities" = "1" }
+ { "set_process_name" = "1" }
+ { "max_processes" = "0" }
diff --git a/debian/patches/series b/debian/patches/series
index 69667f6..7651164 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ Allow-access-to-libnl-3-config-files.patch
 Fix-crash-on-live-migration.patch
 upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
 security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
+debian/Debianize-bridge-helper-path.patch
-- 
2.1.4


>From 2a73851b96e0ea2fc1c9e5fc8c30dc7d92dbf6c4 Mon Sep 17 00:00:00 2001
Message-Id: <2a73851b96e0ea2fc1c9e5fc8c30dc7d92dbf6c4.1457180803.git.hahn@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Fri, 4 Mar 2016 12:09:58 +0100
Subject: [PATCH 6/6] Document changes and release 1.2.9-9+deb8u1.1
Organization: Univention GmbH, Bremen, Germany

---
 debian/changelog | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 23da1b7..28f43d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libvirt (1.2.9-9+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-5313 (Closes: #808273)
+  * libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+    (Closes: #816602)
+  * Fix several FTBFS errors
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Fri, 04 Mar 2016 12:01:36 +0100
+
 libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
 
   [ Guido Günther ]
-- 
2.1.4

--- End Message ---
--- Begin Message --- 
Version: 8.4

Hi,

The packages referenced by these bugs were included in today's stable
point release.

Regards,

Adam

--- End Message ---
Reply to: