Re: libvirt / CVE-2019-3886
Hi,
On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote:
> Patch for Jessie version attached. Patch is applied by hand from
> https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
I don't think this is needed for jessie since the corresponding function
in qemu was implemented in 4.8.0.
> I am a bit concerned this patch only patches the virDomainGetHostname
> function and not the virDomainGetTime function, while the tests (which I
> suspect are not run in the Debian build) appears to patch both. As such
> I suspect this might be incomplete as is.
qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
affected as well. The corresponding virDomainGetTime has no read only
check so this could be an issue (but should likely use a different
CVE). This was upstream fixed in
506e9d6c2d4baaf580d489fff0690c0ff2ff588f
Cheers,
-- Guido
> --
> Brian May <brian@linuxpenguins.xyz>
> https://linuxpenguins.xyz/brian/
> diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
> --- libvirt-1.2.9/debian/changelog 2018-03-13 06:51:52.000000000 +1100
> +++ libvirt-1.2.9/debian/changelog 2019-04-08 17:29:21.000000000 +1000
> @@ -1,3 +1,11 @@
> +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
> +
> + * Non-maintainer upload by the LTS Team.
> + * CVE-2019-3886: Ensure get hostname and get time RPC calls require write
> + access.
> +
> + -- Brian May <bam@debian.org> Mon, 08 Apr 2019 17:29:21 +1000
> +
> libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
>
> * Switch gbp.conf to jessie
> diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch
> --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 1970-01-01 10:00:00.000000000 +1000
> +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 2019-04-08 17:29:08.000000000 +1000
> @@ -0,0 +1,31 @@
> +--- a/src/libvirt.c
> ++++ b/src/libvirt.c
> +@@ -20994,6 +20994,8 @@
> + virResetLastError();
> +
> + virCheckDomainReturn(domain, NULL);
> ++ virCheckReadOnlyGoto(domain->conn->flags, error);
> ++
> + conn = domain->conn;
> +
> + if (conn->driver->domainGetHostname) {
> +--- a/src/remote/remote_protocol.x
> ++++ b/src/remote/remote_protocol.x
> +@@ -5049,7 +5049,7 @@
> +
> + /**
> + * @generate: both
> +- * @acl: domain:read
> ++ * @acl: domain:write
> + */
> + REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
> +
> +@@ -5444,7 +5444,7 @@
> +
> + /**
> + * @generate: none
> +- * @acl: domain:read
> ++ * @acl: domain:write
> + */
> + REMOTE_PROC_DOMAIN_GET_TIME = 337,
> +
> diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
> --- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.000000000 +1100
> +++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:25:13.000000000 +1000
> @@ -37,3 +37,4 @@
> upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
> security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
> security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
> +CVE-2019-3886.patch
Reply to: