libvirt / CVE-2019-3886
Patch for Jessie version attached. Patch is applied by hand from
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
I am a bit concerned this patch only patches the virDomainGetHostname
function and not the virDomainGetTime function, while the tests (which I
suspect are not run in the Debian build) appears to patch both. As such
I suspect this might be incomplete as is.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog 2018-03-13 06:51:52.000000000 +1100
+++ libvirt-1.2.9/debian/changelog 2019-04-08 17:29:21.000000000 +1000
@@ -1,3 +1,11 @@
+libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2019-3886: Ensure get hostname and get time RPC calls require write
+ access.
+
+ -- Brian May <bam@debian.org> Mon, 08 Apr 2019 17:29:21 +1000
+
libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
* Switch gbp.conf to jessie
diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch
--- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 1970-01-01 10:00:00.000000000 +1000
+++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 2019-04-08 17:29:08.000000000 +1000
@@ -0,0 +1,31 @@
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -20994,6 +20994,8 @@
+ virResetLastError();
+
+ virCheckDomainReturn(domain, NULL);
++ virCheckReadOnlyGoto(domain->conn->flags, error);
++
+ conn = domain->conn;
+
+ if (conn->driver->domainGetHostname) {
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5049,7 +5049,7 @@
+
+ /**
+ * @generate: both
+- * @acl: domain:read
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
+
+@@ -5444,7 +5444,7 @@
+
+ /**
+ * @generate: none
+- * @acl: domain:read
++ * @acl: domain:write
+ */
+ REMOTE_PROC_DOMAIN_GET_TIME = 337,
+
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.000000000 +1100
+++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:25:13.000000000 +1000
@@ -37,3 +37,4 @@
upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+CVE-2019-3886.patch
Reply to: