Re: libvirt / CVE-2019-3886

To: Brian May <brian@linuxpenguins.xyz>
Cc: debian-lts@lists.debian.org
Subject: Re: libvirt / CVE-2019-3886
From: Guido Günther <agx@sigxcpu.org>
Date: Mon, 8 Apr 2019 12:01:08 +0200
Message-id: <[🔎] 20190408100108.GA10558@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Brian May <brian@linuxpenguins.xyz>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 87bm1hdjft.fsf@silverfish.pri>
References: <[🔎] 87bm1hdjft.fsf@silverfish.pri>

Hi,
On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote:
> Patch for Jessie version attached. Patch is applied by hand from
> https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html

I don't think this is needed for jessie since the corresponding function
in qemu was implemented in 4.8.0.

> I am a bit concerned this patch only patches the virDomainGetHostname
> function and not the virDomainGetTime function, while the tests (which I
> suspect are not run in the Debian build) appears to patch both. As such
> I suspect this might be incomplete as is.

qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
affected as well. The corresponding virDomainGetTime has no read only
check so this could be an issue (but should likely use a different
CVE). This was upstream fixed in

    506e9d6c2d4baaf580d489fff0690c0ff2ff588f

Cheers,
 -- Guido

> -- 
> Brian May <brian@linuxpenguins.xyz>
> https://linuxpenguins.xyz/brian/

> diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
> --- libvirt-1.2.9/debian/changelog	2018-03-13 06:51:52.000000000 +1100
> +++ libvirt-1.2.9/debian/changelog	2019-04-08 17:29:21.000000000 +1000
> @@ -1,3 +1,11 @@
> +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
> +
> +  * Non-maintainer upload by the LTS Team.
> +  * CVE-2019-3886: Ensure get hostname and get time RPC calls require write
> +    access.
> +
> + -- Brian May <bam@debian.org>  Mon, 08 Apr 2019 17:29:21 +1000
> +
>  libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
>  
>    * Switch gbp.conf to jessie
> diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch
> --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch	1970-01-01 10:00:00.000000000 +1000
> +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch	2019-04-08 17:29:08.000000000 +1000
> @@ -0,0 +1,31 @@
> +--- a/src/libvirt.c
> ++++ b/src/libvirt.c
> +@@ -20994,6 +20994,8 @@
> +     virResetLastError();
> + 
> +     virCheckDomainReturn(domain, NULL);
> ++    virCheckReadOnlyGoto(domain->conn->flags, error);
> ++
> +     conn = domain->conn;
> + 
> +     if (conn->driver->domainGetHostname) {
> +--- a/src/remote/remote_protocol.x
> ++++ b/src/remote/remote_protocol.x
> +@@ -5049,7 +5049,7 @@
> + 
> +     /**
> +      * @generate: both
> +-     * @acl: domain:read
> ++     * @acl: domain:write
> +      */
> +     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
> + 
> +@@ -5444,7 +5444,7 @@
> + 
> +     /**
> +      * @generate: none
> +-     * @acl: domain:read
> ++     * @acl: domain:write
> +      */
> +     REMOTE_PROC_DOMAIN_GET_TIME = 337,
> + 
> diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
> --- libvirt-1.2.9/debian/patches/series	2018-03-13 06:00:35.000000000 +1100
> +++ libvirt-1.2.9/debian/patches/series	2019-04-08 17:25:13.000000000 +1000
> @@ -37,3 +37,4 @@
>  upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
>  security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
>  security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
> +CVE-2019-3886.patch

Reply to:

Follow-Ups:
- Re: libvirt / CVE-2019-3886
  - From: Brian May <bam@debian.org>

References:
- libvirt / CVE-2019-3886
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Fwd: [SECURITY] [DSA 4427-1] samba security update
Next by Date: Re: Fwd: [SECURITY] [DSA 4427-1] samba security update
Previous by thread: libvirt / CVE-2019-3886
Next by thread: Re: libvirt / CVE-2019-3886
Index(es):
- Date
- Thread